diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index c9595d4d0fd..527d2988246 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -247,6 +247,7 @@ /packages/trellix_epo_cloud @elastic/security-external-integrations /packages/trend_micro_vision_one @elastic/security-external-integrations /packages/trendmicro @elastic/security-external-integrations +/packages/tychon @elastic/security-external-integrations /packages/udp @elastic/security-external-integrations /packages/universal_profiling_agent @elastic/profiling /packages/universal_profiling_collector @elastic/profiling diff --git a/packages/tychon/LICENSE.txt b/packages/tychon/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/tychon/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/tychon/_dev/build/build.yml b/packages/tychon/_dev/build/build.yml new file mode 100644 index 00000000000..074278e5b1f --- /dev/null +++ b/packages/tychon/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.8.0 diff --git a/packages/tychon/_dev/build/docs/README.md b/packages/tychon/_dev/build/docs/README.md new file mode 100644 index 00000000000..9b319086e30 --- /dev/null +++ b/packages/tychon/_dev/build/docs/README.md @@ -0,0 +1,96 @@ +# TYCHON Agentless + +[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source Master Endpoint Record data from endpoints, including vulnerability and STIG results, without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) + +## Compatibility + +* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems. +* This integration requires a TYCHON Agentless license. +* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. +* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data. +* This integration supports Elastic 8.8+. + +## Returned Data Fields +### ARP Table Information + +TYCHON scans Endpoint ARP Tables and returns the results. + +**Exported fields** +{{fields "tychon_arp"}} + +### Vulnerablities + +TYCHON scans for Endpoint CPU's and returns the results. + +**Exported fields** +{{fields "tychon_cpu"}} + +### Vulnerablities + +TYCHON scans for Endpoint vulnerablities and returns the results. + +**Exported fields** +{{fields "tychon_cve"}} + +### Endpoint Protection Platform + +TYCHON scans the Endpoint's Windows Defender and returns protection status and version details. + +**Exported fields** +{{fields "tychon_epp"}} + +### Endpoint Exposed Services Information + +The TYCHON script to scan Endpoint Exposed Services and returns information. + +**Exported fields** +{{fields "tychon_exposedservice"}} + +### Endpoint Hard Drive Information + +The TYCHON script scans an endpoint's Hard Drive Configurations and returns information. + +**Exported fields** +{{fields "tychon_harddrive"}} + +### Endpoint Hardware Information + +The TYCHON script scans an endpoint's Hardware Configurations and returns information. + +**Exported fields** +{{fields "tychon_hardware"}} + +### Endpoint Host OS Information + +The TYCHON script scans an endpoint's OS Configurations and returns information. + +**Exported fields** +{{fields "tychon_host"}} + +### Endpoint Network Adapters Information + +The TYCHON script scans an endpoint's Network Adapter Configurations and returns information. + +**Exported fields** +{{fields "tychon_networkadapter"}} + +### Endpoint Software Inventory Information + +The TYCHON script scans an endpoint's Software Inventory and returns information. + +**Exported fields** +{{fields "tychon_softwareinventory"}} + +### Endpoint STIG Information + +The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. + +**Exported fields** +{{fields "tychon_stig"}} + +### Endpoint Volume Information + +The TYCHON script scans an endpoint's Volume Configurations and returns information. + +**Exported fields** +{{fields "tychon_volume"}} diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml new file mode 100644 index 00000000000..c3c87258df3 --- /dev/null +++ b/packages/tychon/changelog.yml @@ -0,0 +1,5 @@ +- version: 0.0.58 + changes: + - description: Fixed incorrect types in field.yml and cleaned up formatting + type: enhancement + link: https://github.com/joeperuzzi/integrations/pull/5 # FIXME Replace with the real PR link diff --git a/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json new file mode 100644 index 00000000000..4309380a3fd --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json @@ -0,0 +1,51 @@ +{ + "events": [ + { + "script.type": "powershell", + "host.os.build": "22621", + "host.ip": [ + "10.154.5.200" + ], + "host.hostname": "DESKTOP-AF7CIQM", + "host.os.name": "Microsoft Windows 11 Pro", + "host.hardware.manufacturer": "Dell Inc.", + "@timestamp": "2023-08-16T05:22:36Z", + "script.start": "2023-08-16T05:22:36Z", + "destination.mac": "00-09-0F-AA-00-02", + "host.hardware.owner": "james_sudbury@msn.com", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 141 Stepping 1", + "destination.hostname": "Request timed out (700 ms)", + "host.os.organization": "", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "HYLCKG3", + "host.ipv4": "10.154.5.200", + "host.os.version": "2009", + "network.direction": "external", + "host.hardware.bios.name": "Dell Inc.", + "host.type": "Workstation", + "network.type": "IPv4", + "destination.name": "Request timed out (700 ms)", + "host.id": "47b5d5906f7d4b288a1366b2f6483148_4C4C4544-0059-4C10-8043-C8C04F4B4733_DESKTOP-AF7CIQM_WORKGROUP", + "host.biossn": "4C4C4544-0059-4C10-8043-C8C04F4B4733", + "host.mac": [ + "60:E3:2B:4B:40:E2" + ], + "network.interface": "Ethernet 3", + "host.oem.model": "XPS 17 9710", + "host.uptime": "594263.4592614", + "id": "DESKTOP-AF7CIQM#6#10.70.4.15#10.70.4.16", + "script.current_time": "2023-08-16T05:22:37Z", + "script.name": "Get-TychonArpInfo.ps1", + "network.state": "dynamic", + "script.version": "2.3.53.0", + "host.oem.manufacturer": "Dell", + "host.os.description": "", + "script.current_duration": "1809.94", + "host.ipv6": "fe80::c2c9:f4e0:eb65:2c33", + "destination.ip": "10.70.4.16", + "host.hardware.bios.version": "1.20.1", + "host.domain": "", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-config.yml b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json new file mode 100644 index 00000000000..2bbfaf00f64 --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json @@ -0,0 +1,85 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:07.498243391Z", + "destination": { + "hostname": "Request timed out (700 ms)", + "ip": "10.70.4.16", + "mac": "00-09-0F-AA-00-02", + "name": "Request timed out (700 ms)" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "network" + ], + "ingested": "2023-10-05T13:48:07.498243391Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "4C4C4544-0059-4C10-8043-C8C04F4B4733", + "domain": "", + "hardware": { + "bios": { + "name": "Dell Inc.", + "version": "1.20.1" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 141 Stepping 1" + }, + "manufacturer": "Dell Inc.", + "owner": "james_sudbury@msn.com", + "serial_number": "HYLCKG3" + }, + "hostname": "DESKTOP-AF7CIQM", + "id": "47b5d5906f7d4b288a1366b2f6483148_4C4C4544-0059-4C10-8043-C8C04F4B4733_DESKTOP-AF7CIQM_WORKGROUP", + "ip": [ + "10.154.5.200" + ], + "ipv4": [ + "10.154.5.200" + ], + "ipv6": "fe80::c2c9:f4e0:eb65:2c33", + "mac": [ + "60-E3-2B-4B-40-E2" + ], + "oem": { + "manufacturer": "Dell", + "model": "XPS 17 9710" + }, + "os": { + "build": "22621", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 594263, + "workgroup": "WORKGROUP" + }, + "id": "DESKTOP-AF7CIQM#6#10.70.4.15#10.70.4.16", + "network": { + "direction": "external", + "interface": "Ethernet 3", + "state": "dynamic", + "type": "IPv4" + }, + "script": { + "current_duration": 1809.94, + "current_time": "2023-08-16T05:22:37Z", + "name": "Get-TychonArpInfo.ps1", + "start": "2023-08-16T05:22:36Z", + "type": "powershell", + "version": "2.3.53.0" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..a65baf9d532 --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,67 @@ +--- +description: Pipeline for TYCHON ARP Tables +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [network] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_arp/fields/agent.yml b/packages/tychon/data_stream/tychon_arp/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_arp/fields/base-fields.yml b/packages/tychon/data_stream/tychon_arp/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_arp/fields/ecs.yml b/packages/tychon/data_stream/tychon_arp/fields/ecs.yml new file mode 100644 index 00000000000..1b0bb1256af --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/fields/ecs.yml @@ -0,0 +1,78 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: destination.ip +- external: ecs + name: destination.mac +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: network.direction +- external: ecs + name: network.type +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.ingested diff --git a/packages/tychon/data_stream/tychon_arp/fields/fields.yml b/packages/tychon/data_stream/tychon_arp/fields/fields.yml new file mode 100644 index 00000000000..796b93593cd --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/fields/fields.yml @@ -0,0 +1,17 @@ +- name: destination + type: group + fields: + - name: hostname + type: keyword + description: The Translated Hostname of the IP in the ARP Table + - name: name + type: keyword +- name: network + type: group + fields: + - name: interface + type: keyword + description: The interface the ARP Table has associated the destination. + - name: state + type: keyword + description: Current state diff --git a/packages/tychon/data_stream/tychon_arp/manifest.yml b/packages/tychon/data_stream/tychon_arp/manifest.yml new file mode 100644 index 00000000000..6e2a2a3ce40 --- /dev/null +++ b/packages/tychon/data_stream/tychon_arp/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint Arp Table Information +type: logs +streams: + - input: logfile + title: Endpoint Arp Table Information + description: TYCHON will report on the entire ARP table from an endpoint. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Output Arp Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_arp_info.json + - /var/log/tychoncloud/eventlogs/tychon_arp_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-arp-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json new file mode 100644 index 00000000000..6a6227d519b --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json @@ -0,0 +1,53 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.cpu.number_of_logical_processors": "1", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "host.uptime": "348628.5649737", + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-22T17:04:17Z", + "host.os.name": "Microsoft Windows 10 Pro", + "host.cpu.number_of_cores": "1", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.hardware.owner": "admin", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.ipv4": "10.1.9.51", + "host.cpu.manufacturer": "GenuineIntel", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "host.cpu.virtualization_firmware_enabled": "true", + "host.cpu.name": "Intel(R) Xeon(R) CPU E5-4640 0 @ 2.40GHz", + "host.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "script.type": "powershell", + "host.cpu.speed": "2400", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.oem.model": "", + "host.cpu.family": "Unknown", + "id": "BOTANYBAYEP1#CPU0#0FABFBFF000206D7", + "script.current_time": "2023-09-22T17:04:25Z", + "script.name": "Get-TychonCpuInfo.ps1", + "script.version": "2.3.141.0", + "host.cpu.clockspeed": "2400", + "host.oem.manufacturer": "", + "host.os.description": "", + "host.os.version": "2009", + "script.current_duration": "8011.80", + "host.ipv6": "", + "host.hardware.bios.version": "6.00", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-config.yml b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json new file mode 100644 index 00000000000..194fcdb504d --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json @@ -0,0 +1,90 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:07.751417637Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:07.751417637Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7", + "clockspeed": 2400, + "family": "Unknown", + "manufacturer": "GenuineIntel", + "name": "Intel(R) Xeon(R) CPU E5-4640 0 @ 2.40GHz", + "number_of_cores": "1", + "number_of_logical_processors": "1", + "speed": 2400, + "virtualization_firmware_enabled": "true" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 348628, + "workgroup": "WORKGROUP" + }, + "id": "BOTANYBAYEP1#CPU0#0FABFBFF000206D7", + "script": { + "current_duration": 8011.8, + "current_time": "2023-09-22T17:04:25Z", + "name": "Get-TychonCpuInfo.ps1", + "start": "2023-09-22T17:04:17Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..72a2b96542a --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,88 @@ +--- +description: Pipeline for TYCHON CPU Information +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - gsub: + field: host.cpu.speed + pattern: "[^0-9]" + replacement: "" + - convert: + field: host.cpu.speed + type: long + ignore_missing: true + - gsub: + field: host.cpu.clockspeed + pattern: "[^0-9]" + replacement: "" + - convert: + field: host.cpu.clockspeed + type: long + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cpu/fields/agent.yml b/packages/tychon/data_stream/tychon_cpu/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_cpu/fields/base-fields.yml b/packages/tychon/data_stream/tychon_cpu/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_cpu/fields/ecs.yml b/packages/tychon/data_stream/tychon_cpu/fields/ecs.yml new file mode 100644 index 00000000000..a01c01ace4e --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.ingested diff --git a/packages/tychon/data_stream/tychon_cpu/fields/fields.yml b/packages/tychon/data_stream/tychon_cpu/fields/fields.yml new file mode 100644 index 00000000000..d2212239b15 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/fields/fields.yml @@ -0,0 +1,33 @@ +- name: host + type: group + fields: + - name: cpu + type: group + fields: + - name: caption + description: Host Cpu Caption. + type: text + - name: clockspeed + description: Host Cpu Clockspeed. + type: long + - name: family + description: Host Cpu Family. + type: keyword + - name: manufacturer + description: Host Cpu Manufacturer. + type: keyword + - name: name + description: Host Cpu Name. + type: keyword + - name: number_of_cores + description: Host Cpu Number Of Cores. + type: integer + - name: number_of_logical_processors + description: Host Cpu Number Of Logical Processors. + type: integer + - name: speed + description: Host Cpu Speed. + type: long + - name: virtualization_firmware_enabled + description: Host Cpu Virtualization Firmware Enabled. + type: boolean diff --git a/packages/tychon/data_stream/tychon_cpu/manifest.yml b/packages/tychon/data_stream/tychon_cpu/manifest.yml new file mode 100644 index 00000000000..82a7fb19357 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cpu/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint CPU Info +type: logs +streams: + - input: logfile + title: Endpoint CPU Info + description: Endpoint CPU Info + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Endpoint CPU Output Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_cpu_info.json + - /var/log/tychoncloud/eventlogs/tychon_cpu_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-cpu-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json new file mode 100644 index 00000000000..9a6c1d577d0 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json @@ -0,0 +1,58 @@ +{ + "events": [ + { + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.cloud.hosted": false, + "host.domain": "", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.hardware.bios.version": "6.00", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.owner": "admin", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.hostname": "BOTANYBAYEP1", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.ip": [ + "10.1.9.51" + ], + "host.ipv4": "10.1.9.51", + "host.ipv6": "", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.oem.manufacturer": "", + "host.oem.model": "", + "host.os.build": "19045", + "host.os.description": "", + "host.os.family": "Windows", + "host.os.name": "Microsoft Windows 10 Pro", + "host.os.organization": "", + "host.os.version": "2009", + "host.type": "Workstation", + "host.uptime": 312557.8520254, + "host.workgroup": "WORKGROUP", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP_CVE-2022-24501", + "script.current_duration": "910425.42", + "script.current_time": "2023-09-22T07:18:16Z", + "script.name": "Invoke-CveScan.ps1", + "script.start": "2023-09-22T07:03:05Z", + "script.type": "powershell", + "script.version": "2.3.141.0", + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "vulnerability.classification": "vulnerability", + "vulnerability.due_date": "", + "vulnerability.due_date_reason": "", + "vulnerability.iava": "", + "vulnerability.iava_severity": "", + "vulnerability.id": "CVE-2022-24501", + "vulnerability.reference": "http://www.scaprepo.com/view.jsp?id=CVE-2022-24501", + "vulnerability.result": "pass", + "vulnerability.scanner.vendor": "Tychon, LLC", + "vulnerability.score.base": "6.80", + "vulnerability.severity": "MEDIUM", + "vulnerability.title": "VP9 Video Extensions Remote Code Execution Vulnerability - CVE-2022-24501", + "vulnerability.version": "1", + "vulnerability.year": "2022" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-config.yml b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json new file mode 100644 index 00000000000..e035b567a9c --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json @@ -0,0 +1,104 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:07.991051920Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "ingested": "2023-10-05T13:48:07.991051920Z", + "kind": "state", + "module": "tychon", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": false + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 312557, + "workgroup": "WORKGROUP" + }, + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP_CVE-2022-24501", + "script": { + "current_duration": 910425.44, + "current_time": "2023-09-22T07:18:16Z", + "name": "Invoke-CveScan.ps1", + "start": "2023-09-22T07:03:05Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + }, + "vulnerability": { + "category": [ + "oval" + ], + "classification": "cvss", + "due_date": "1970-01-01T00:00:01.000Z", + "due_date_reason": "", + "enumeration": "CVE", + "iava": "", + "iava_severity": "", + "id": "CVE-2022-24501", + "reference": "http://www.scaprepo.com/view.jsp?id=CVE-2022-24501", + "result": "pass", + "scanner": { + "vendor": "tychon" + }, + "score": { + "base": 6.8 + }, + "severity": "MEDIUM", + "title": "VP9 Video Extensions Remote Code Execution Vulnerability - CVE-2022-24501", + "version": "1", + "year": 2022 + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_cve/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..a87e5c5ef98 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/agent/stream/stream.yml.hbs @@ -0,0 +1,23 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true + \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..c618184d707 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,108 @@ +--- +description: CVE Pipeline for parsing TYCHON Vulnerability Scan Results +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: vulnerability.due_date + value: "1970-01-01T00:00:01Z" + if: ctx.vulnerability.due_date == '' + - date: + field: vulnerability.due_date + target_field: vulnerability.due_date + output_format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX + formats: + - strict_date_optional_time + - epoch_millis + - date + - "MM/dd/yyyy" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [vulnerability] + - set: + field: event.type + value: [info] + - script: + source: | + if(ctx.vulnerability?.result == 'fail'){ + ctx.event.outcome = "failure" + }else if(ctx.vulnerability?.result == 'pass'){ + ctx.event.outcome = "success" + }else{ + ctx.event.outcome = "unknown" + } + - convert: + field: script.current_duration + type: float + ignore_missing: true + - convert: + field: vulnerability.score.base + type: float + ignore_failure: true + - convert: + field: vulnerability.year + type: long + - set: + field: vulnerability.scanner.vendor + value: tychon + - set: + field: vulnerability.category + value: [oval] + - set: + field: vulnerability.classification + value: cvss + - set: + field: vulnerability.enumeration + value: CVE +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/fields/agent.yml b/packages/tychon/data_stream/tychon_cve/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml b/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_cve/fields/ecs.yml b/packages/tychon/data_stream/tychon_cve/fields/ecs.yml new file mode 100644 index 00000000000..70c1f2ac0ed --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/fields/ecs.yml @@ -0,0 +1,94 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.hostname +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.uptime +- external: ecs + name: host.type +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.name +- external: ecs + name: host.os.version +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.base +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/data_stream/tychon_cve/fields/fields.yml b/packages/tychon/data_stream/tychon_cve/fields/fields.yml new file mode 100644 index 00000000000..b73c0500bbc --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/fields/fields.yml @@ -0,0 +1,27 @@ +- name: vulnerability + type: group + fields: + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason. + type: keyword + - name: iava + description: Vulnerability Iava. + type: keyword + - name: iava_severity + description: Vulnerability Iava Severity. + type: keyword + - name: result + description: Vulnerability Result. + type: keyword + - name: title + description: Vulnerability Title. + type: keyword + - name: version + description: Vulnerability Version. + type: keyword + - name: year + description: Vulnerability Year. + type: integer diff --git a/packages/tychon/data_stream/tychon_cve/manifest.yml b/packages/tychon/data_stream/tychon_cve/manifest.yml new file mode 100644 index 00000000000..b1dc5ee94f8 --- /dev/null +++ b/packages/tychon/data_stream/tychon_cve/manifest.yml @@ -0,0 +1,33 @@ +title: Vulnerabilites +type: logs +streams: + - input: logfile + title: Vulnerabilites + description: TYCHON reports on tens of thousands of Vulnerabilites, this data stream reads in the results as upserts to your Elastic database. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: Vulnerability Results Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_cve_info.json + - /var/log/tychoncloud/eventlogs/tychon_cve_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-cve + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json new file mode 100644 index 00000000000..805336ce309 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json @@ -0,0 +1,79 @@ +{ + "events": [ + { + "trellix.service.ens.signature_version": "", + "trellix.service.dlp.status": "Unknown", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.workgroup": "WORKGROUP", + "elastic.service.agent.status": "", + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.type": "Workstation", + "windows_defender.service.behavior_monitor.status": "Disabled", + "trellix.service.dlp.version": "", + "trellix.service.ma.version": "", + "script.current_duration": "9805.07", + "trellix.service.accm.version": "", + "host.oem.manufacturer": "", + "host.uptime": "352927.1521054", + "host.os.name": "Microsoft Windows 10 Pro", + "windows_defender.service.on_access_protection.status": "Disabled", + "windows_defender.service.antimalware.engine_version": "1.1.23080.2005", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "windows_defender.service.antispyware.signature_version": "1.397.1402.0", + "trellix.service.ma.status": "Unknown", + "host.os.version": "2009", + "trellix.service.ens.version": "", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "elastic.service.endpoint.malware": "detect", + "trellix.service.accm.status": "", + "host.cloud.hosted": "false", + "windows_defender.service.antimalware.status": "Enabled", + "host.hardware.owner": "admin", + "elastic.service.endpoint.memory_protection": "detect", + "script.version": "2.3.141.0", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "windows_defender.service.antispyware.status": "Enabled", + "host.ipv6": "", + "windows_defender.service.antivirus.full_scan.signature_version": "", + "script.type": "powershell", + "host.ipv4": "10.1.9.51", + "elastic.service.endpoint.behavior_protection": "detect", + "host.domain": "", + "host.os.organization": "", + "script.start": "2023-09-22T18:15:55Z", + "host.os.family": "Windows", + "script.current_time": "2023-09-22T18:16:05Z", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.hardware.bios.version": "6.00", + "windows_defender.service.antimalware.product_version": "4.18.23080.2006", + "windows_defender.service.antivirus.status": "Enabled", + "host.os.build": "19045", + "windows_defender.service.ioav_protection.status": "Disabled", + "windows_defender.service.nis.engine_version": "1.1.23080.2005", + "elastic.service.endpoint.version": "", + "host.oem.model": "", + "host.hostname": "BOTANYBAYEP1", + "trellix.service.rsd.status": "", + "windows_defender.service.nis.signature_version": "1.397.1402.0", + "trellix.service.pa.version": "", + "windows_defender.service.antivirus.quick_scan.signature_version": "1.397.1180.0", + "trellix.service.rsd.version": "", + "elastic.service.endpoint.status": "", + "windows_defender.service.nis.status": "Disabled", + "host.ip": [ + "10.1.9.51" + ], + "trellix.service.pa.status": "", + "windows_defender.service.real_time_protection.status": "Disabled", + "script.name": "Get-TychonEppSetting.ps1", + "trellix.service.ens.status": "", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "elastic.service.agent.version": "", + "host.os.description": "", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json new file mode 100644 index 00000000000..99408e92aab --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json @@ -0,0 +1,162 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:08.349377955Z", + "ecs": { + "version": "8.8.0" + }, + "elastic": { + "service": { + "agent": { + "status": "", + "version": "" + }, + "endpoint": { + "behavior_protection": "detect", + "malware": "detect", + "memory_protection": "detect", + "status": "", + "version": "" + } + } + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:08.349377955Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 352927, + "workgroup": "WORKGROUP" + }, + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "script": { + "current_duration": 9805.07, + "current_time": "2023-09-22T18:16:05Z", + "name": "Get-TychonEppSetting.ps1", + "start": "2023-09-22T18:15:55Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "trellix": { + "service": { + "accm": { + "status": "", + "version": "" + }, + "dlp": { + "status": "Unknown", + "version": "" + }, + "ens": { + "signature_version": "", + "status": "", + "version": "" + }, + "ma": { + "status": "Unknown", + "version": "" + }, + "pa": { + "status": "", + "version": "" + }, + "rsd": { + "status": "", + "version": "" + } + } + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + }, + "windows_defender": { + "service": { + "antimalware": { + "engine_version": "1.1.23080.2005", + "product_version": "4.18.23080.2006", + "status": "Enabled" + }, + "antispyware": { + "signature_version": "1.397.1402.0", + "status": "Enabled" + }, + "antivirus": { + "full_scan": { + "signature_version": "" + }, + "quick_scan": { + "signature_version": "1.397.1180.0" + }, + "status": "Enabled" + }, + "behavior_monitor": { + "status": "Disabled" + }, + "ioav_protection": { + "status": "Disabled" + }, + "nis": { + "engine_version": "1.1.23080.2005", + "signature_version": "1.397.1402.0", + "status": "Disabled" + }, + "on_access_protection": { + "status": "Disabled" + }, + "real_time_protection": { + "status": "Disabled" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_epp/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..90702aae1c6 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/agent/stream/stream.yml.hbs @@ -0,0 +1,23 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8c3bbeacd7a --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,67 @@ +--- +description: Pipeline for TYCHON Endpoint Protection Datasets +processors: + - dot_expander: + field: "*" + - set: + field: '@timestamp' + value: '{{_ingest.timestamp}}' + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '8.8.0' + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/fields/agent.yml b/packages/tychon/data_stream/tychon_epp/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml b/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_epp/fields/ecs.yml b/packages/tychon/data_stream/tychon_epp/fields/ecs.yml new file mode 100644 index 00000000000..03c803d3515 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/fields/ecs.yml @@ -0,0 +1,80 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.build_version +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: tags diff --git a/packages/tychon/data_stream/tychon_epp/fields/fields.yml b/packages/tychon/data_stream/tychon_epp/fields/fields.yml new file mode 100644 index 00000000000..03e45729afd --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/fields/fields.yml @@ -0,0 +1,201 @@ +- name: crowdstrike + type: group + fields: + - name: service + type: group + fields: + - name: falcon + type: group + fields: + - name: signature_version + description: Crowdstrike Service Falcon Signature Version. + type: keyword + - name: status + description: Crowdstrike Service Falcon Status. + type: keyword + - name: version + description: Crowdstrike Service Falcon Version. + type: version +- name: elastic + type: group + fields: + - name: service + type: group + fields: + - name: agent + type: group + fields: + - name: status + description: Elastic Service Agent Status. + type: keyword + - name: version + description: Elastic Service Agent Version. + type: version + - name: endpoint + type: group + fields: + - name: behavior_protection + description: Elastic Service Endpoint Behavior Protection. + type: keyword + - name: malware + description: Elastic Service Endpoint Malware. + type: keyword + - name: memory_protection + description: Elastic Service Endpoint Memory Protection. + type: keyword + - name: ransomware + description: Elastic Service Endpoint Ransomware. + type: keyword + - name: status + description: Elastic Service Endpoint Status. + type: keyword + - name: version + description: Elastic Service Endpoint Version. + type: version +- name: trellix + type: group + fields: + - name: service + type: group + fields: + - name: accm + type: group + fields: + - name: status + description: Trellix Service Accm Status. + type: keyword + - name: version + description: Trellix Service Accm Version. + type: version + - name: dlp + type: group + fields: + - name: status + description: Trellix Service Dlp Status. + type: keyword + - name: version + description: Trellix Service Dlp Version. + type: version + - name: ens + type: group + fields: + - name: signature_version + description: Trellix Service Ens Signature Version. + type: keyword + - name: status + description: Trellix Service Ens Status. + type: keyword + - name: version + description: Trellix Service Ens Version. + type: version + - name: ma + type: group + fields: + - name: status + description: Trellix Service Ma Status. + type: keyword + - name: version + description: Trellix Service Ma Version. + type: version + - name: pa + type: group + fields: + - name: status + description: Trellix Service Pa Status. + type: keyword + - name: version + description: Trellix Service Pa Version. + type: version + - name: rsd + type: group + fields: + - name: status + description: Trellix Service Rsd Status. + type: keyword + - name: version + description: Trellix Service Rsd Version. + type: version +- name: windows_defender + type: group + fields: + - name: service + type: group + fields: + - name: antimalware + type: group + fields: + - name: engine_version + description: Windows Defender Service Antimalware Engine Version. + type: keyword + - name: product_version + description: Windows Defender Service Antimalware Product Version. + type: keyword + - name: signature_version + description: Windows Defender Service Antimalware Signature Version. + type: keyword + - name: status + description: Windows Defender Service Antimalware Status. + type: keyword + - name: antispyware + type: group + fields: + - name: signature_version + description: Windows Defender Service Antispyware Signature Version. + type: keyword + - name: status + description: Windows Defender Service Antispyware Status. + type: keyword + - name: antivirus + type: group + fields: + - name: full_scan + type: group + fields: + - name: signature_version + description: Windows Defender Service Antivirus Full Scan Signature Version. + type: keyword + - name: quick_scan + type: group + fields: + - name: signature_version + description: Windows Defender Service Antivirus Quick Scan Signature Version. + type: keyword + - name: status + description: Windows Defender Service Antivirus Status. + type: keyword + - name: behavior_monitor + type: group + fields: + - name: status + description: Windows Defender Service Behavior Monitor Status. + type: keyword + - name: ioav_protection + type: group + fields: + - name: status + description: Windows Defender Service Ioav Protection Status. + type: keyword + - name: nis + type: group + fields: + - name: engine_version + description: Windows Defender Service Nis Engine Version. + type: keyword + - name: signature_version + description: Windows Defender Service Nis Signature Version. + type: keyword + - name: status + description: Windows Defender Service Nis Status. + type: keyword + - name: on_access_protection + type: group + fields: + - name: status + description: Windows Defender Service On Access Protection Status. + type: keyword + - name: real_time_protection + type: group + fields: + - name: status + description: Windows Defender Service Real Time Protection Status. + type: keyword diff --git a/packages/tychon/data_stream/tychon_epp/manifest.yml b/packages/tychon/data_stream/tychon_epp/manifest.yml new file mode 100644 index 00000000000..83539270d37 --- /dev/null +++ b/packages/tychon/data_stream/tychon_epp/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint Protection Platform Info +type: logs +streams: + - input: logfile + title: Endpoint Protection Platform Info + description: Endpoint Protection Platform Info + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON EPP Output Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_epp_info.json + - /var/log/tychoncloud/eventlogs/tychon_epp_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-epp-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json new file mode 100644 index 00000000000..dd3a2124637 --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json @@ -0,0 +1,54 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "process.name": "services.exe", + "script.type": "powershell", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "process.start": "2023-09-18T16:13:52Z", + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-25T19:02:40Z", + "host.os.name": "Microsoft Windows 10 Pro", + "host.hardware.owner": "admin", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.workgroup": "WORKGROUP", + "host.ipv4": "10.1.9.51", + "host.os.version": "2009", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "process.user.name": "NT AUTHORITY\\SYSTEM", + "source.ip": "::", + "network.transport": "tcp", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "process.command_line": "", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00-0C-29-93-6A-F3" + ], + "process.pid": 848, + "host.oem.model": "", + "host.uptime": "614921.3194264", + "id": "BOTANYBAYEP1#::#49673#tcp", + "process.hash.sha1": "2D79A17A7F226B4A3BC25D47D73570F9A33AAC1A", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "script.name": "Get-ExposedServiceInfo.ps1", + "script.version": "2.3.141.0", + "host.oem.manufacturer": "", + "host.os.description": "", + "script.current_duration": "13538.63", + "host.ipv6": "", + "script.current_time": "2023-09-25T19:02:54Z", + "host.hardware.bios.version": "6.00", + "source.port": 49673, + "process.executable": "services.exe", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-config.yml b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json new file mode 100644 index 00000000000..248cb3c542b --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json @@ -0,0 +1,102 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:08.716336204Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "network" + ], + "ingested": "2023-10-05T13:48:08.716336204Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 614921, + "workgroup": "WORKGROUP" + }, + "id": "BOTANYBAYEP1#::#49673#tcp", + "network": { + "transport": "tcp" + }, + "process": { + "command_line": "", + "executable": "services.exe", + "hash": { + "sha1": "2D79A17A7F226B4A3BC25D47D73570F9A33AAC1A" + }, + "name": "services.exe", + "pid": 848, + "start": "2023-09-18T16:13:52Z", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + } + }, + "script": { + "current_duration": 13538.63, + "current_time": "2023-09-25T19:02:54Z", + "name": "Get-ExposedServiceInfo.ps1", + "start": "2023-09-25T19:02:40Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "service": { + "name": "services.exe" + }, + "source": { + "ip": "::", + "port": 49673 + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..245b06f1437 --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,78 @@ +--- +description: Pipeline for Exposed Services +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: source.ip + value: "0.0.0.0" + if: ctx.source.ip == '' + ignore_failure: true + - set: + field: service.name + value: "{{process.name}}" + if: "ctx.service?.name == null" + ignore_failure: true + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [network] + - set: + field: event.type + value: [info] + + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_exposedservice/fields/agent.yml b/packages/tychon/data_stream/tychon_exposedservice/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_exposedservice/fields/base-fields.yml b/packages/tychon/data_stream/tychon_exposedservice/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_exposedservice/fields/ecs.yml b/packages/tychon/data_stream/tychon_exposedservice/fields/ecs.yml new file mode 100644 index 00000000000..decf292cc6f --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/fields/ecs.yml @@ -0,0 +1,96 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: network.transport +- external: ecs + name: process.command_line +- external: ecs + name: process.executable +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.start +- external: ecs + name: process.user.name +- external: ecs + name: service.name +- external: ecs + name: service.state +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: user.name diff --git a/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml b/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml new file mode 100644 index 00000000000..77a8e2cbaee --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/fields/fields.yml @@ -0,0 +1,18 @@ +- name: device + type: group + fields: + - name: name + description: Device Name. + type: keyword +- name: service + type: group + fields: + - name: description + description: The description text on the service. + type: keyword + - name: display_name + description: The human readable name of the service + type: keyword + - name: status + description: Service Status. + type: keyword diff --git a/packages/tychon/data_stream/tychon_exposedservice/manifest.yml b/packages/tychon/data_stream/tychon_exposedservice/manifest.yml new file mode 100644 index 00000000000..c86415c93f3 --- /dev/null +++ b/packages/tychon/data_stream/tychon_exposedservice/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint Exposed Services +type: logs +streams: + - input: logfile + title: Endpoint Exposed Services + description: TYCHON will detect open ports and their processes to help determine extrenal exposure for an endpoint. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Exposed Services Output Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_exposedservice_info.json + - /var/log/tychoncloud/eventlogs/tychon_exposedservice_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-exposedservice-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json new file mode 100644 index 00000000000..c7ad1f82216 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json @@ -0,0 +1,69 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.os.name": "Microsoft Windows 10 Pro", + "disk.location.device": "0", + "disk.partition_style": "MBR", + "host.hardware.manufacturer": "VMware, Inc.", + "disk.serial_number": "", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "disk.boot_from": "true", + "host.hostname": "BOTANYBAYEP1", + "disk.adapter.serial_number": "", + "disk.location.adapter": "0", + "disk.system": "true", + "script.start": "2023-09-25T19:03:48Z", + "disk.size": "42949672960", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.hardware.owner": "admin", + "disk.name": "VMware Virtual disk", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.ipv4": "10.1.9.51", + "host.oem.model": "", + "disk.is_boot": "true", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "disk.model": "Virtual disk", + "disk.health_status": "Healthy", + "disk.number": "0", + "script.current_duration": "13711.00", + "disk.offline": "false", + "disk.location.bus": "3", + "disk.location.pci_slot": "160", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.uptime": "614991.6714276", + "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", + "disk.location.function": "0", + "script.current_time": "2023-09-25T19:04:02Z", + "disk.bus_type": "SAS", + "disk.firmware_version": "2.0", + "disk.manufacturer": "VMware", + "disk.clustered": "false", + "script.name": "Get-TychonHardDriveInfo.ps1", + "script.version": "2.3.141.0", + "host.oem.manufacturer": "", + "host.os.description": "", + "host.os.version": "2009", + "disk.operational_status": "Online", + "disk.number_of_partitions": "3", + "host.ipv6": "", + "host.hardware.bios.version": "6.00", + "disk.id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk\u0026ven_vmware\u0026prod_virtual_disk#5\u00261ec51bf7\u00260\u0026000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", + "disk.highly_available": "false", + "script.type": "powershell", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json new file mode 100644 index 00000000000..66068c765c4 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json @@ -0,0 +1,110 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:09.028702894Z", + "disk": { + "adapter": { + "serial_number": "" + }, + "boot_from": "true", + "bus_type": "SAS", + "clustered": "false", + "firmware_version": "2.0", + "health_status": "Healthy", + "highly_available": "false", + "id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk\u0026ven_vmware\u0026prod_virtual_disk#5\u00261ec51bf7\u00260\u0026000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", + "is_boot": "true", + "location": { + "adapter": "0", + "bus": "3", + "device": "0", + "function": "0", + "pci_slot": "160" + }, + "manufacturer": "VMware", + "model": "Virtual disk", + "name": "VMware Virtual disk", + "number": "0", + "number_of_partitions": "3", + "offline": "false", + "operational_status": "Online", + "partition_style": "MBR", + "serial_number": "", + "size": 42949672960, + "system": "true" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:09.028702894Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 614991, + "workgroup": "WORKGROUP" + }, + "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", + "script": { + "current_duration": 13711.0, + "current_time": "2023-09-25T19:04:02Z", + "name": "Get-TychonHardDriveInfo.ps1", + "start": "2023-09-25T19:03:48Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..3d924cbe5e0 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,71 @@ +--- +description: Pipeline for the TYCHON Hard Drive Dataset +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: disk.size + type: long + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/fields/agent.yml b/packages/tychon/data_stream/tychon_harddrive/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_harddrive/fields/base-fields.yml b/packages/tychon/data_stream/tychon_harddrive/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_harddrive/fields/ecs.yml b/packages/tychon/data_stream/tychon_harddrive/fields/ecs.yml new file mode 100644 index 00000000000..a01c01ace4e --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.ingested diff --git a/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml b/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml new file mode 100644 index 00000000000..f897cf8ee96 --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/fields/fields.yml @@ -0,0 +1,84 @@ +- name: disk + type: group + fields: + - name: id + description: Disk ID + type: keyword + - name: adapter + type: group + fields: + - name: serial_number + type: keyword + description: Disk Adapter Serial Number + - name: boot_from + type: boolean + description: OS booted from this disk + - name: bus_type + type: keyword + description: The Disk Bus Type + - name: clustered + type: boolean + description: Is the Disk Clustered + - name: firmware_version + type: keyword + description: Disk Firmware version + - name: health_status + type: keyword + description: Health status of the disk + - name: highly_available + type: boolean + description: Disk is marked as highly available + - name: is_boot + type: boolean + description: Disk is a boot disk + - name: location + type: group + fields: + - name: adapter + type: integer + description: Zero index adapter location + - name: pci_slot + type: integer + description: PCI Slot location + - name: bus + type: integer + description: Disk Bus Location + - name: device + type: integer + description: Disk Device Location + - name: function + type: integer + description: Disk Function Location + - name: manufacturer + type: keyword + description: The manufacturer of the Disk + - name: model + type: keyword + description: The model of the disk + - name: name + type: keyword + description: The friendly name of the disk + - name: number + type: integer + description: The number assigned to the disk + - name: number_of_partitions + type: integer + description: Total number of partitions on the drive + - name: offline + type: boolean + description: Is the disk offline + - name: operational_status + type: keyword + description: Operational Status of the disk + - name: partition_style + type: keyword + description: Partition style + - name: serial_number + type: keyword + description: The unique serial number of the drive + - name: size + type: long + description: Total Size of the disk + - name: system + type: boolean + description: Is this a system drive diff --git a/packages/tychon/data_stream/tychon_harddrive/manifest.yml b/packages/tychon/data_stream/tychon_harddrive/manifest.yml new file mode 100644 index 00000000000..21b27d5034f --- /dev/null +++ b/packages/tychon/data_stream/tychon_harddrive/manifest.yml @@ -0,0 +1,34 @@ +title: Endpoint Harddrive Info +type: logs +streams: + - input: logfile + title: Endpoint Harddrive Info + description: TYCHON reports all the physical Hard Drive(s) on an endpoint + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Harddrive Output Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_harddrive_info.json + - /var/log/tychoncloud/eventlogs/tychon_harddrive_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-harddrive-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json new file mode 100644 index 00000000000..233194ba2e9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json @@ -0,0 +1,52 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "script.type": "powershell", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "script.version": "2.3.141.0", + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-25T04:03:37Z", + "host.os.name": "Microsoft Windows 10 Pro", + "host.os.organization": "", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "device.name": "Motherboard resources", + "host.hardware.owner": "admin", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.ipv4": "10.1.9.51", + "host.os.version": "2009", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "device.present": "true", + "host.type": "Workstation", + "device.id": "ACPI\\PNP0C02\\4", + "device.description": "Motherboard resources", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "device.class": "System", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "device.friendly_name": "Motherboard resources", + "host.oem.model": "", + "host.uptime": "560978.5582333", + "id": "eb657a5e2a6762a1aeebaa530a334081e387d350", + "script.current_time": "2023-09-25T04:03:42Z", + "script.name": "Get-TychonHardwareInfo.ps1", + "device.status": "OK", + "host.oem.manufacturer": "", + "host.os.description": "", + "script.current_duration": "5072.02", + "host.ipv6": "", + "host.hardware.bios.version": "6.00", + "device.manufacturer": "(Standard system devices)", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-config.yml b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json new file mode 100644 index 00000000000..370b07e2e04 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json @@ -0,0 +1,89 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:09.300032381Z", + "device": { + "class": "System", + "description": "Motherboard resources", + "friendly_name": "Motherboard resources", + "id": "ACPI\\PNP0C02\\4", + "manufacturer": "(Standard system devices)", + "name": "Motherboard resources", + "present": "true", + "status": "OK" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:09.300032381Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 560978, + "workgroup": "WORKGROUP" + }, + "id": "eb657a5e2a6762a1aeebaa530a334081e387d350", + "script": { + "current_duration": 5072.02, + "current_time": "2023-09-25T04:03:42Z", + "name": "Get-TychonHardwareInfo.ps1", + "start": "2023-09-25T04:03:37Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..1bf708d2ab3 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,70 @@ +--- +description: Pipeline for Hardware +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - lowercase: + field: device.present + ignore_missing: true + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_hardware/fields/agent.yml b/packages/tychon/data_stream/tychon_hardware/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_hardware/fields/base-fields.yml b/packages/tychon/data_stream/tychon_hardware/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_hardware/fields/ecs.yml b/packages/tychon/data_stream/tychon_hardware/fields/ecs.yml new file mode 100644 index 00000000000..c39c1090cf4 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/fields/ecs.yml @@ -0,0 +1,76 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: device.id +- external: ecs + name: device.manufacturer +- external: ecs + name: device.model.name +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags diff --git a/packages/tychon/data_stream/tychon_hardware/fields/fields.yml b/packages/tychon/data_stream/tychon_hardware/fields/fields.yml new file mode 100644 index 00000000000..f8c9a4a7192 --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/fields/fields.yml @@ -0,0 +1,21 @@ +- name: device + type: group + fields: + - name: class + description: Device Class. + type: keyword + - name: description + description: Device Description. + type: text + - name: friendly_name + description: Device Friendly Name. + type: keyword + - name: name + description: Device Name. + type: keyword + - name: present + description: Device Present. + type: boolean + - name: status + description: Device Status. + type: keyword diff --git a/packages/tychon/data_stream/tychon_hardware/manifest.yml b/packages/tychon/data_stream/tychon_hardware/manifest.yml new file mode 100644 index 00000000000..1daff5cba8c --- /dev/null +++ b/packages/tychon/data_stream/tychon_hardware/manifest.yml @@ -0,0 +1,34 @@ +title: Hardware Info +type: logs +streams: + - input: logfile + title: Hardware Info + description: The physical hardware attached to a computer system. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Hardware Output Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_hardware_info.json + - /var/log/tychoncloud/eventlogs/tychon_hardware_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-hardware-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json new file mode 100644 index 00000000000..ac2c4bebf8a --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json @@ -0,0 +1,81 @@ +{ + "events": [ + { + "event.ufi.enabled": "false", + "event.deviceguard.hypervisorenforcedcodeint.running": "false", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.tpm.version": "", + "event.deviceguard.securememoverwrite.available": "false", + "event.deviceguard.virtualizationbasedsecurity.status": "Off", + "host.tpm.compliant": "false", + "host.type": "Workstation", + "host.virtualization_status": "Virtual Machine", + "host.security.antivirus.name": "McAfee Endpoint Security", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "tychon.version.content": "2.3.141.0", + "script.current_duration": "7000.24", + "host.oem.manufacturer": "", + "host.uptime": "618683.1458787", + "host.os.name": "Microsoft Windows 10 Pro", + "host.tpm.present": "false", + "event.deviceguard.secureboot.available": "false", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.architecture": "64-bit", + "host.os.version": "2009", + "host.hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "event.deviceguard.systemguardsecurelaunch.running": "false", + "host.cloud.hosted": "false", + "tychon.version.agent": "1.7.861.86", + "host.hardware.owner": "admin", + "script.version": "2.3.141.0", + "event.deviceguard.hypervisorenforcedcodeint.enabled": "false", + "host.os.edition": "Pro", + "host.workgroup": "WORKGROUP", + "host.ipv6": "", + "event.deviceguard.smmsecuritymigrations.available": "false", + "script.type": "powershell", + "host.domain": "", + "host.os.organization": "", + "host.os.family": "Windows", + "script.current_time": "2023-09-25T20:05:29Z", + "event.deviceguard.credentialguard.running": "false", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.tpm.digest.id": "TPM Digest Not Found", + "host.hardware.bios.version": "6.00", + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.os.build": "19045", + "host.security.antivirus.status": "OutOfDate", + "event.deviceguard.version": "1.0", + "host.oem.model": "", + "event.deviceguard.usermodecodeintegrity.policyenforcement": "Off", + "event.deviceguard.dmaprotection.available": "false", + "tychon.definition.oval": "2023-08-15T20:03:33Z", + "host.ipv4": "10.1.9.51", + "event.deviceguard.ueficodereadonly.available": "false", + "host.security.antivirus.exists": "true", + "script.start": "2023-09-25T20:05:22Z", + "host.os.vendor": "Microsoft Corporation", + "host.motherboard.chipset": "Intel Corporation Model 440BX Desktop Reference Platform Version None", + "host.motherboard.serial_number": "None", + "tychon.definition.stig": "2023-08-16T17:18:48Z", + "event.deviceguard.basevirtualizationsupport.available": "false", + "host.cpu.count": "2", + "host.ip": [ + "10.1.9.51" + ], + "event.deviceguard.systemguardsecurelaunch.enabled": "false", + "host.security.antivirus.state": "On", + "script.name": "Get-TychonHostInfo.ps1", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "event.deviceguard.credentialguard.enabled": "false", + "host.os.description": "", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.memory.size": "4294496256" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-config.yml b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json new file mode 100644 index 00000000000..89a8737df6c --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json @@ -0,0 +1,160 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:09.537119084Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "host" + ], + "deviceguard": { + "basevirtualizationsupport": { + "available": "false" + }, + "credentialguard": { + "enabled": "false", + "running": "false" + }, + "dmaprotection": { + "available": "false" + }, + "hypervisorenforcedcodeint": { + "enabled": "false", + "running": "false" + }, + "secureboot": { + "available": "false" + }, + "securememoverwrite": { + "available": "false" + }, + "smmsecuritymigrations": { + "available": "false" + }, + "systemguardsecurelaunch": { + "enabled": "false", + "running": "false" + }, + "ueficodereadonly": { + "available": "false" + }, + "usermodecodeintegrity": { + "policyenforcement": "Off" + }, + "version": "1.0", + "virtualizationbasedsecurity": { + "status": "Off" + } + }, + "ingested": "2023-10-05T13:48:09.537119084Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ], + "ufi": { + "enabled": "false" + } + }, + "host": { + "architecture": "64-bit", + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7", + "count": "2" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "memory": { + "size": 4294496256 + }, + "motherboard": { + "chipset": "Intel Corporation Model 440BX Desktop Reference Platform Version None", + "serial_number": "None" + }, + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "edition": "Pro", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "vendor": "Microsoft Corporation", + "version": "2009" + }, + "security": { + "antivirus": { + "exists": "true", + "name": "McAfee Endpoint Security", + "state": "On", + "status": "OutOfDate" + } + }, + "tpm": { + "compliant": "false", + "digest": { + "id": "TPM Digest Not Found" + }, + "present": "false", + "version": "" + }, + "type": "Workstation", + "uptime": 618683, + "virtualization_status": "Virtual Machine", + "workgroup": "WORKGROUP" + }, + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "script": { + "current_duration": 7000.24, + "current_time": "2023-09-25T20:05:29Z", + "name": "Get-TychonHostInfo.ps1", + "start": "2023-09-25T20:05:22Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "definition": { + "oval": "2023-08-15T20:03:33Z", + "stig": "2023-08-16T17:18:48Z" + }, + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "version": { + "agent": "1.7.861.86", + "content": "2.3.141.0" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..46f52b94213 --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,92 @@ +--- +description: Pipeline for TYCHON HOST OS +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.memory.size + type: long + ignore_failure: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [host] + - set: + field: event.type + value: [info] + - remove: + field: tychon.definition.oval + if: ctx.tychon.definition.oval == '' + - remove: + field: tychon.definition.stig + if: ctx.tychon.definition.stig == '' + - convert: + field: script.current_duration + type: float + ignore_missing: true + - set: + field: host.security.antivirus.exists + value: "false" + if: ctx.host.security.antivirus.exists == '' + - lowercase: + field: host.security.antivirus.exists + - split: + field: host.security.antivirus.exists + separator: "," + target_field: tempav + - set: + field: host.security.antivirus.exists + value: "{{tempav.0}}" + - remove: + field: tempav +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_host/fields/agent.yml b/packages/tychon/data_stream/tychon_host/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_host/fields/base-fields.yml b/packages/tychon/data_stream/tychon_host/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_host/fields/ecs.yml b/packages/tychon/data_stream/tychon_host/fields/ecs.yml new file mode 100644 index 00000000000..751e85d95ad --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.os.family +- external: ecs + name: host.os.name +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: error.message +- external: ecs + name: event.ingested diff --git a/packages/tychon/data_stream/tychon_host/fields/fields.yml b/packages/tychon/data_stream/tychon_host/fields/fields.yml new file mode 100644 index 00000000000..59bdd71baf8 --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/fields/fields.yml @@ -0,0 +1,243 @@ +- name: event + type: group + fields: + - name: deviceguard + type: group + fields: + - name: basevirtualizationsupport + type: group + fields: + - name: available + description: Event Deviceguard Basevirtualizationsupport Available. + type: boolean + - name: credentialguard + type: group + fields: + - name: enabled + description: Event Deviceguard Credentialguard Enabled. + type: boolean + - name: running + description: Event Deviceguard Credentialguard Running. + type: boolean + - name: dmaprotection + type: group + fields: + - name: available + description: Event Deviceguard Dmaprotection Available. + type: boolean + - name: hypervisorenforcedcodeint + type: group + fields: + - name: enabled + description: Event Deviceguard Hypervisorenforcedcodeint Enabled. + type: boolean + - name: running + description: Event Deviceguard Hypervisorenforcedcodeint Running. + type: boolean + - name: secureboot + type: group + fields: + - name: available + description: Event Deviceguard Secureboot Available. + type: boolean + - name: securememoverwrite + type: group + fields: + - name: available + description: Event Deviceguard Securememoverwrite Available. + type: boolean + - name: smmsecuritymigrations + type: group + fields: + - name: available + description: Event Deviceguard Smmsecuritymigrations Available. + type: boolean + - name: systemguardsecurelaunch + type: group + fields: + - name: enabled + description: Event Deviceguard Systemguardsecurelaunch Enabled. + type: boolean + - name: running + description: Event Deviceguard Systemguardsecurelaunch Running. + type: boolean + - name: ueficodereadonly + type: group + fields: + - name: available + description: Event Deviceguard Ueficodereadonly Available. + type: boolean + - name: usermodecodeintegrity + type: group + fields: + - name: policyenforcement + description: Event Deviceguard Usermodecodeintegrity Policyenforcement. + type: keyword + - name: version + description: Event Deviceguard Version. + type: keyword + - name: virtualizationbasedsecurity + type: group + fields: + - name: status + description: Event Deviceguard Virtualizationbasedsecurity Status. + type: keyword + - name: ufi + type: group + fields: + - name: enabled + description: Event Ufi Enabled. + type: boolean +- name: host + type: group + fields: + - name: cloud + type: group + fields: + - name: compute + type: group + fields: + - name: name + description: Host Cloud Compute Name. + type: keyword + - name: resource_group_name + description: Host Cloud Compute Resource Group Name. + type: keyword + - name: resource_id + description: Host Cloud Compute Resource Id. + type: keyword + - name: subscription_id + description: Host Cloud Compute Subscription Id. + type: keyword + - name: tags + description: Host Cloud Compute Tags. + type: keyword + - name: vm_id + description: Host Cloud Compute Vm Id. + type: keyword + - name: hosted + description: Host Cloud Hosted. + type: boolean + - name: network + type: group + fields: + - name: mac_address + description: Host Cloud Network Mac Address. + type: keyword + - name: public_ipv4 + description: Host Cloud Network Public Ipv4. + type: ip + - name: public_ipv6 + description: Host Cloud Network Public Ipv6. + type: ip + - name: compute + type: group + fields: + - name: location + description: Host Compute Location. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host Cpu Caption. + type: text + - name: count + description: Host Cpu Count. + type: integer + - name: memory + type: group + fields: + - name: size + description: Host Memory Size. + type: long + - name: motherboard + type: group + fields: + - name: chipset + description: Host Motherboard Chipset. + type: keyword + - name: serial_number + description: Host Motherboard Serial Number. + type: keyword + - name: os + type: group + fields: + - name: edition + description: Host Os Edition. + type: keyword + - name: extended_support_license + description: Host Os Extended Support License. + type: keyword + - name: extended_support_license_expiration + description: Host Os Extended Support License Expiration. + type: date + - name: suportted_plan + description: Host Os Suportted Plan. + type: keyword + - name: vendor + description: Host Os Vendor. + type: keyword + - name: security + type: group + fields: + - name: antivirus + type: group + fields: + - name: exists + description: Host Security Antivirus Exists. + type: boolean + - name: name + description: Host Security Antivirus Name. + type: keyword + - name: state + description: Host Security Antivirus State. + type: keyword + - name: status + description: Host Security Antivirus Status. + type: keyword + - name: tpm + type: group + fields: + - name: compliant + description: Host Tpm Compliant. + type: boolean + - name: digest + type: group + fields: + - name: id + description: Host Tpm Digest Id. + type: keyword + - name: present + description: Host Tpm Present. + type: boolean + - name: version + description: Host Tpm Version. + type: keyword + - name: virtualization_status + description: Host Virtualization Status. + type: keyword + - name: virtulization_status + description: Host Virtulization Status. + type: keyword +- name: tychon + type: group + fields: + - name: definition + type: group + fields: + - name: oval + description: Tychon Definition Oval. + type: date + - name: stig + description: Tychon Definition Stig. + type: date + - name: version + type: group + fields: + - name: agent + description: Tychon Version Agent. + type: version + - name: content + description: Tychon Version Content. + type: version diff --git a/packages/tychon/data_stream/tychon_host/manifest.yml b/packages/tychon/data_stream/tychon_host/manifest.yml new file mode 100644 index 00000000000..338763ad7f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_host/manifest.yml @@ -0,0 +1,33 @@ +title: Host Operating System Info +type: logs +streams: + - input: logfile + title: Host Operating System Info + description: TYCHON collects 1-1 information about an endpoint in this dataset + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Host Operating System Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_host_info.json + - /var/log/tychoncloud/eventlogs/tychon_host_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-host-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json new file mode 100644 index 00000000000..807e43f4aa6 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json @@ -0,0 +1,80 @@ +{ + "events": [ + { + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.adapter.subnet_bit": "24", + "host.workgroup": "WORKGROUP", + "host.adapter.domain": "", + "host.adapter.virtual": "false", + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.adapter.wifi.authentication": "", + "host.type": "Workstation", + "host.oem.model": "", + "host.adapter.wifi.signal_percent": "", + "script.current_duration": "14530.74", + "host.adapter.dhcp.lease_obtained": "", + "host.oem.manufacturer": "", + "host.uptime": "618589.769059", + "host.os.name": "Microsoft Windows 10 Pro", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.adapter.ndis.version": "6.50", + "host.adapter.ip": "10.1.9.51", + "host.os.family": "Windows", + "host.adapter.driver.version": "12.17.10.8", + "host.adapter.wifi.cipher": "", + "host.adapter.link_speed": "1 Gbps", + "host.hostname": "BOTANYBAYEP1", + "id": "201f62ea31d32bc635feeda477e602ff4b304bb6", + "host.adapter.wifi.ssid": "", + "host.cloud.hosted": "false", + "host.hardware.owner": "admin", + "script.version": "2.3.141.0", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.adapter.wifi.channel": "", + "host.adapter.driver.name": "Driver Date 2018-06-12 Version 12.17.10.8 NDIS 6.50", + "host.ipv6": "", + "host.os.version": "2009", + "script.type": "powershell", + "host.domain": "", + "host.os.organization": "", + "host.adapter.driver.file_name": "e1i65x64.sys", + "host.adapter.driver.description": "Intel(R) 82574L Gigabit Network Connection", + "host.adapter.gateway": "10.1.9.1", + "host.adapter.dhcp.enabled": "false", + "host.adapter.wifi.band": "", + "script.current_time": "2023-09-25T20:04:01Z", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.hardware.bios.version": "6.00", + "host.os.build": "19045", + "host.adapter.mtu": "1500", + "host.adapter.vlan.id": "", + "host.adapter.wins_server": "", + "host.adapter.driver.provider": "Microsoft", + "host.ipv4": "10.1.9.51", + "host.adapter.wifi.enabled": "false", + "host.adapter.dhcp.lease_expires": "", + "host.adapter.ip_filter.enabled": "false", + "host.adapter.wifi.radio_type": "", + "host.adapter.description": "Intel(R) 82574L Gigabit Network Connection", + "script.start": "2023-09-25T20:03:46Z", + "host.adapter.driver.date": "2018-06-12", + "host.ip": [ + "10.1.9.51" + ], + "host.adapter.alias": "Ethernet0", + "host.adapter.mac": "00-0C-29-93-6A-F3", + "host.adapter.media.type": "802.3", + "host.adapter.id": "{8CF7047B-04F9-48B6-8928-0593504DBA4D}", + "script.name": "Get-TychonNetworkAdapterInfo.ps1", + "host.adapter.dhcp.server": "", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.adapter.media.connection_state": "Connected", + "host.os.description": "", + "host.adapter.wifi.bssid": "", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-config.yml b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json new file mode 100644 index 00000000000..8cc0a71fc85 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json @@ -0,0 +1,128 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:09.779537418Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:09.779537418Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "adapter": { + "alias": "Ethernet0", + "description": "Intel(R) 82574L Gigabit Network Connection", + "dhcp": { + "enabled": "false" + }, + "domain": "", + "driver": { + "date": "2018-06-12", + "description": "Intel(R) 82574L Gigabit Network Connection", + "file_name": "e1i65x64.sys", + "name": "Driver Date 2018-06-12 Version 12.17.10.8 NDIS 6.50", + "provider": "Microsoft", + "version": "12.17.10.8" + }, + "gateway": "10.1.9.1", + "id": "{8CF7047B-04F9-48B6-8928-0593504DBA4D}", + "ip": "10.1.9.51", + "ip_filter": { + "enabled": "false" + }, + "link_speed": 0, + "mac": "00-0C-29-93-6A-F3", + "media": { + "connection_state": "Connected", + "type": "802.3" + }, + "mtu": "1500", + "ndis": { + "version": "6.50" + }, + "subnet_bit": "24", + "virtual": "false", + "vlan": { + "id": "" + }, + "wifi": { + "authentication": "", + "band": "", + "bssid": "", + "channel": "", + "cipher": "", + "enabled": "false", + "radio_type": "", + "signal_percent": "", + "ssid": "" + } + }, + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 618589, + "workgroup": "WORKGROUP" + }, + "host.adapter.link_speed": 1073741824, + "id": "201f62ea31d32bc635feeda477e602ff4b304bb6", + "script": { + "current_duration": 14530.74, + "current_time": "2023-09-25T20:04:01Z", + "name": "Get-TychonNetworkAdapterInfo.ps1", + "start": "2023-09-25T20:03:46Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..08db5fe566c --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,115 @@ +--- +description: Pipeline for parsing TYCHON Network Adapters +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - remove: + field: host.adapter.ip + if: ctx.host.adapter.ip == '' + - remove: + field: host.adapter.gateway + if: ctx.host.adapter.gateway == '' + - remove: + field: host.adapter.dhcp.server + if: ctx.host.adapter.dhcp.server == '' + - remove: + field: host.adapter.dhcp.lease_obtained + if: ctx.host.adapter.dhcp.lease_obtained == '' + - remove: + field: host.adapter.dhcp.lease_expires + if: ctx.host.adapter.dhcp.lease_expires == '' + - remove: + field: host.adapter.driver.date + if: ctx.host.adapter.driver.date == '' + - remove: + field: host.adapter.wins_server + if: ctx.host.adapter.wins_server == '' + - set: + field: link_speed + value: "{{host.adapter.link_speed}}" + - set: + field: host.adapter.link_speed + value: 0 + - script: + source: + | + if(ctx['link_speed'].contains(' ')){ + String[] linkSpeed=ctx['link_speed'].splitOnToken(' '); + ctx.remove('link_speed'); + ctx['host.adapter.link_speed']=Long.parseLong(linkSpeed[0]); + if(linkSpeed[1]=='Kbps'){ + ctx['host.adapter.link_speed']*=1024 + } + if(linkSpeed[1]=='Mbps'){ + ctx['host.adapter.link_speed']*=1048576 + } + if(linkSpeed[1]=='Gbps'){ + ctx['host.adapter.link_speed']*=1073741824 + } + } else { + ctx.remove('link_speed'); + } + ignore_failure: true + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/base-fields.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/ecs.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/ecs.yml new file mode 100644 index 00000000000..ce008f57715 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.ingested +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.os.family +- external: ecs + name: host.os.name +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml new file mode 100644 index 00000000000..a4ecfb6ce0c --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml @@ -0,0 +1,135 @@ +- name: host + type: group + fields: + - name: adapter + type: group + fields: + - name: alias + type: keyword + description: The Alias given to this adapter + - name: description + type: text + description: The network adapter description + - name: dhcp + type: group + fields: + - name: enabled + type: boolean + description: Is DHCP Enabled on this adapter + - name: lease_expires + type: date + description: When does this DHCP lease expire + - name: lease_obtained + type: date + description: When was the DHCP lease obtained + - name: server + type: ip + description: What IP Address was the DHCP IP obtained from. + - name: domain + type: text + description: What domain was assigned to this adapter + - name: driver + type: group + fields: + - name: date + type: date + description: Date the driver was installed + - name: description + type: text + description: Description of the driver + - name: file_name + type: keyword + description: Driver File name + - name: name + type: keyword + description: Name of the driver + - name: provider + type: keyword + description: Company that provided the driver + - name: version + type: keyword + description: Version of the driver + - name: gateway + type: ip + description: Gateway IP Address + - name: id + type: keyword + description: ID Of the adapter + - name: ip + type: ip + description: IP Addresses assigned to the adapter + - name: ip_filter + type: group + fields: + - name: enabled + type: boolean + description: Is IP Filtering Enabled + - name: wins_server + type: ip + description: The WINS Server attached to this adapter + - name: link_speed + type: long + description: Link speed of the adapter + - name: mac + type: keyword + description: Hardware MAC Address + - name: media + type: group + fields: + - name: connection_state + type: keyword + description: Current Connection State + - name: type + type: keyword + description: Current Connection Media Type + - name: mtu + type: integer + description: MTU Size + - name: ndis + type: group + fields: + - name: version + type: keyword + description: NDIS Version + - name: subnet_bit + type: integer + description: Subnet BIT + - name: virtual + type: boolean + description: Is adapter virtual + - name: vlan + type: group + fields: + - name: id + type: keyword + description: The VLAN ID + - name: wifi + type: group + fields: + - name: enabled + type: boolean + description: Is WIFI Enabled + - name: signal_percent + type: integer + description: Signal strength to connected WIFI Router + - name: ssid + type: keyword + description: The Connected WIFI Router SSID + - name: bssid + type: keyword + description: The Connected WIFI Router Hardware Address + - name: radio_type + type: keyword + description: The radio type of the connected WIFI Router + - name: authentication + type: keyword + description: The Authentication method used to connected to the WIFI Router + - name: cipher + type: keyword + description: The CIPHER used to connected to the WIFI Router + - name: band + type: keyword + description: The band used to connected to the WIFI Router + - name: channel + type: keyword + description: The channel used to connected to the WIFI Router diff --git a/packages/tychon/data_stream/tychon_networkadapter/manifest.yml b/packages/tychon/data_stream/tychon_networkadapter/manifest.yml new file mode 100644 index 00000000000..29608b8b892 --- /dev/null +++ b/packages/tychon/data_stream/tychon_networkadapter/manifest.yml @@ -0,0 +1,33 @@ +title: Network Adapters +type: logs +streams: + - input: logfile + title: Network Adapters + description: TYCHON reports on a host endpoints Network Adapters/NICs. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: Host Network Adapters Location + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_networkadapter_info.json + - /var/log/tychoncloud/eventlogs/tychon_networkadapter_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-networkadapter + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json new file mode 100644 index 00000000000..c76c3a50095 --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json @@ -0,0 +1,56 @@ +{ + "events": [ + { + "host.biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "host.domain": "", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.hardware.bios.version": "6.00", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.hardware.manufacturer": "VMware, Inc.", + "host.hardware.owner": "dcuser", + "host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", + "host.hostname": "DESKTOP-TIUKL1R", + "host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "host.ip": [ + "10.1.9.112" + ], + "host.ipv4": "10.1.9.112", + "host.ipv6": "fe80::40d1:5287:42b9:5645", + "host.mac": [ + "00:0C:29:EF:9A:EB" + ], + "host.oem.manufacturer": "", + "host.oem.model": "", + "host.os.build": "22000", + "host.os.description": "", + "host.os.family": "Windows", + "host.os.name": "Microsoft Windows 11 Education N", + "host.os.organization": "", + "host.os.version": "10.0.22000", + "host.type": "Workstation", + "host.uptime": "145287", + "host.workgroup": "WORKGROUP", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "script.current_duration": "315381.28", + "script.current_time": "2023-06-15T21:58:02Z", + "script.name": "Invoke-CveScan.ps1", + "script.start": "2023-06-15T21:52:47Z", + "script.type": "powershell", + "script.version": "0.1.0", + "vulnerability.due_date": "", + "vulnerability.classification": "vulnerability", + "vulnerability.iava": "2013-A-0227", + "vulnerability.iava_severity": "CAT II", + "vulnerability.id": "CVE-2013-3900", + "vulnerability.reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "vulnerability.result": "fail", + "vulnerability.scanner.vendor": "TYCHON", + "vulnerability.score.base": "7.60", + "vulnerability.score.version": "2.0", + "vulnerability.severity": "HIGH", + "vulnerability.title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "vulnerability.version": "1", + "vulnerability.year": "2013" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-config.yml b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json new file mode 100644 index 00000000000..934541f2391 --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json @@ -0,0 +1,98 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:10.040484755Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "ingested": "2023-10-05T13:48:10.040484755Z", + "kind": "state", + "module": "tychon", + "outcome": "failure", + "type": [ + "info" + ] + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": [ + "10.1.9.112" + ], + "ipv4": [ + "10.1.9.112" + ], + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": [ + "00-0C-29-EF-9A-EB" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 145287, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "script": { + "current_duration": 315381.28, + "current_time": "2023-06-15T21:58:02Z", + "name": "Invoke-CveScan.ps1", + "start": "2023-06-15T21:52:47Z", + "type": "powershell", + "version": "0.1.0" + }, + "vulnerability": { + "category": [ + "oval" + ], + "classification": "cvss", + "due_date": "1970-01-01T00:00:01.000Z", + "enumeration": "CVE", + "iava": "2013-A-0227", + "iava_severity": "CAT II", + "id": "CVE-2013-3900", + "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "result": "fail", + "scanner": { + "vendor": "tychon" + }, + "score": { + "base": 7.6, + "version": "2.0" + }, + "severity": "HIGH", + "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "version": "1", + "year": 2013 + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_patch/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_patch/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..8b177f1461f --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/agent/stream/stream.yml.hbs @@ -0,0 +1,23 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true + \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..bfc8a8fcc9d --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,108 @@ +--- +description: CVE Pipeline for parsing TYCHON Vulnerability Scan Results +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: vulnerability.due_date + value: "1970-01-01T00:00:01Z" + if: ctx.vulnerability.due_date == '' + - date: + field: vulnerability.due_date + target_field: vulnerability.due_date + output_format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX + ignore_failure: true + formats: + - strict_date_optional_time + - epoch_millis + - date + - "MM/dd/yyyy" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [vulnerability] + - set: + field: event.type + value: [info] + - script: + source: | + if(ctx.vulnerability?.result == 'fail'){ + ctx.event.outcome = "failure" + }else if(ctx.vulnerability?.result == 'pass'){ + ctx.event.outcome = "success" + }else{ + ctx.event.outcome = "unknown" + } + - convert: + field: script.current_duration + type: float + ignore_missing: true + - convert: + field: vulnerability.score.base + type: float + - convert: + field: vulnerability.year + type: long + - set: + field: vulnerability.scanner.vendor + value: tychon + - set: + field: vulnerability.category + value: [oval] + - set: + field: vulnerability.classification + value: cvss + - set: + field: vulnerability.enumeration + value: CVE +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_patch/fields/agent.yml b/packages/tychon/data_stream/tychon_patch/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_patch/fields/base-fields.yml b/packages/tychon/data_stream/tychon_patch/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_patch/fields/ecs.yml b/packages/tychon/data_stream/tychon_patch/fields/ecs.yml new file mode 100644 index 00000000000..1b24786125d --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/fields/ecs.yml @@ -0,0 +1,94 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.base +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/data_stream/tychon_patch/fields/fields.yml b/packages/tychon/data_stream/tychon_patch/fields/fields.yml new file mode 100644 index 00000000000..b73c0500bbc --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/fields/fields.yml @@ -0,0 +1,27 @@ +- name: vulnerability + type: group + fields: + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason. + type: keyword + - name: iava + description: Vulnerability Iava. + type: keyword + - name: iava_severity + description: Vulnerability Iava Severity. + type: keyword + - name: result + description: Vulnerability Result. + type: keyword + - name: title + description: Vulnerability Title. + type: keyword + - name: version + description: Vulnerability Version. + type: keyword + - name: year + description: Vulnerability Year. + type: integer diff --git a/packages/tychon/data_stream/tychon_patch/manifest.yml b/packages/tychon/data_stream/tychon_patch/manifest.yml new file mode 100644 index 00000000000..06cb2a56c52 --- /dev/null +++ b/packages/tychon/data_stream/tychon_patch/manifest.yml @@ -0,0 +1,32 @@ +title: Patches +type: logs +streams: + - input: logfile + title: Patches + description: TYCHON checks for thousands of installed patches and reports them back to Elasticsearch for reporting, trend analysis and response actions. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: Patch Results Location + multi: true + required: true + show_user: true + default: + - /var/log/tychoncloud/eventlogs/tychon_patch_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-patch + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json new file mode 100644 index 00000000000..9c880f7f052 --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json @@ -0,0 +1,60 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "package.description": "", + "script.current_time": "2023-09-25T04:03:27Z", + "package.size": "", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-25T04:03:20Z", + "host.os.name": "Microsoft Windows 10 Pro", + "host.hardware.owner": "admin", + "package.architecture": "x86", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "package.version": "5.7.6.251", + "script.type": "powershell", + "host.workgroup": "WORKGROUP", + "host.ipv4": "10.1.9.51", + "host.os.version": "2009", + "package.path": "C:\\Program Files\\McAfee\\Agent\\", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "package.publisher": "McAfee, LLC.", + "host.type": "Workstation", + "package.id": "McAfeeAgent", + "package.version_build": "251", + "package.uninstall": "\"C:\\Program Files\\McAfee\\Agent\\x86\\FrmInst.exe\" /uninstall", + "package.name": "McAfee Agent", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "package.version_major": "5", + "host.oem.model": "", + "host.uptime": "560963.1794915", + "id": "eade7a9d914c1e82ec2cd77223cd949593f05ce7", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "script.name": "Get-TychonSoftwareInventory.ps1", + "package.version_release": "6", + "script.version": "2.3.141.0", + "package.version_minor": "7", + "host.oem.manufacturer": "", + "host.os.description": "", + "package.installed": "", + "script.current_duration": "6844.84", + "host.ipv6": "", + "package.type": "installer", + "host.hardware.bios.version": "6.00", + "package.cpe": "cpe:/a:McAfee Agent:5.7.6.251", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-config.yml b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json new file mode 100644 index 00000000000..7bdb937e8d6 --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:10.296137904Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "package" + ], + "ingested": "2023-10-05T13:48:10.296137904Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 560963, + "workgroup": "WORKGROUP" + }, + "id": "eade7a9d914c1e82ec2cd77223cd949593f05ce7", + "package": { + "architecture": "x86", + "cpe": "cpe:/a:McAfee Agent:5.7.6.251", + "description": "", + "id": "McAfeeAgent", + "installed": "1970-01-01T00:00:01Z", + "name": "McAfee Agent", + "path": "C:\\Program Files\\McAfee\\Agent\\", + "publisher": "McAfee, LLC.", + "size": 0, + "type": "installer", + "uninstall": "\"C:\\Program Files\\McAfee\\Agent\\x86\\FrmInst.exe\" /uninstall", + "version": "5.7.6.251", + "version_build": "251", + "version_major": "5", + "version_minor": "7", + "version_release": "6" + }, + "script": { + "current_duration": 6844.84, + "current_time": "2023-09-25T04:03:27Z", + "name": "Get-TychonSoftwareInventory.ps1", + "start": "2023-09-25T04:03:20Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..26cbade110e --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,112 @@ +--- +description: Pipeline for Software Inventory +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: package.installed + value: "1970-01-01T00:00:01Z" + if: ctx.package.installed == 'installed' + - set: + field: package.installed + value: "1970-01-01T00:00:01Z" + if: ctx.package.installed == '' + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - gsub: + field: package.size + pattern: "[^0-9]" + replacement: "" + - set: + field: package.size + value: 0 + ignore_failure: true + if: ctx.package.size == '' + - gsub: + field: package.version_build + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_major + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_minor + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - gsub: + field: package.version_release + pattern: "[^0-9]" + replacement: "" + ignore_missing: true + - set: + field: event.kind + value: state + - set: + field: package.type + value: rpm + if: ctx.package.type == '' + - script: + source: ctx.package.cpe = "cpe:/a:" + ctx.package.name + ":" + ctx.package.version + if: ctx.package.cpe == '' + ignore_failure: true + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [package] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_softwareinventory/fields/agent.yml b/packages/tychon/data_stream/tychon_softwareinventory/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_softwareinventory/fields/base-fields.yml b/packages/tychon/data_stream/tychon_softwareinventory/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_softwareinventory/fields/ecs.yml b/packages/tychon/data_stream/tychon_softwareinventory/fields/ecs.yml new file mode 100644 index 00000000000..c5ebf028eff --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/fields/ecs.yml @@ -0,0 +1,86 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.architecture +- external: ecs + name: package.description +- external: ecs + name: package.installed +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.type +- external: ecs + name: package.version +- external: ecs + name: tags +- external: ecs + name: error.message +- external: ecs + name: event.ingested diff --git a/packages/tychon/data_stream/tychon_softwareinventory/fields/fields.yml b/packages/tychon/data_stream/tychon_softwareinventory/fields/fields.yml new file mode 100644 index 00000000000..143a9635854 --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/fields/fields.yml @@ -0,0 +1,27 @@ +- name: package + type: group + fields: + - name: cpe + description: Package Cpe. + type: keyword + - name: id + description: Package Id. + type: keyword + - name: publisher + description: Package Publisher. + type: keyword + - name: uninstall + description: Package Uninstall. + type: text + - name: version_build + description: Package Version Build. + type: integer + - name: version_major + description: Package Version Major. + type: integer + - name: version_minor + description: Package Version Minor. + type: integer + - name: version_release + description: Package Version Release. + type: integer diff --git a/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml b/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml new file mode 100644 index 00000000000..1dda1c00dff --- /dev/null +++ b/packages/tychon/data_stream/tychon_softwareinventory/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint Software Inventory Info +type: logs +streams: + - input: logfile + title: Endpoint Software Inventory Info + description: TYCHON will collect all installed software from the operating system. + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Software Inventory Output + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_softwareinventory_info.json + - /var/log/tychoncloud/eventlogs/tychon_softwareinventory_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-softwareinventory-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json new file mode 100644 index 00000000000..ee54532bbad --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json @@ -0,0 +1,67 @@ +{ + "events": [ + { + "rule.benchmark.profile.id": "none", + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "benchmark.name": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark", + "rule.weight": "10.0", + "rule.title": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.", + "rule.id": "xccdf_mil.disa.stig_rule_SV-213168r395811_rule", + "rule.oval.refid": "", + "script.type": "powershell", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "rule.name": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.", + "script.version": "2.3.141.0", + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-25T05:03:17Z", + "host.os.name": "Microsoft Windows 10 Pro", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP_xccdf_mil.disa.stig_rule_SV-213168r395811_rule_858A198F20EB96D46BE795A24F17C19D25CEF91AA919E8D19A13A4E6AA65D667", + "rule.test_result": "not applicable", + "host.os.organization": "", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "benchmark.hash": "858A198F20EB96D46BE795A24F17C19D25CEF91AA919E8D19A13A4E6AA65D667", + "host.hardware.owner": "admin", + "host.workgroup": "WORKGROUP", + "benchmark.id": "xccdf_mil.disa.stig_benchmark_Adobe_Acrobat_Reader_DC_Continuous_Track_STIG", + "host.ipv4": "10.1.9.51", + "host.os.version": "2009", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "rule.vulnerability_id": "SV-79409", + "oval.id": "oval:mil.disa.stig.adobe.reader:def:10", + "rule.finding_id": "V-213168", + "rule.stig_id": "ARDC-CN-000005", + "rule.oval.class": "compliance", + "rule.benchmark.title": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "oval.class": "compliance", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "oval.refid": "", + "rule.severity": "medium", + "host.oem.model": "", + "host.uptime": "564559.6950263", + "benchmark.version": "002.002", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "benchmark.title": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark", + "script.name": "Invoke-TychonStigBenchmarkScan.ps1", + "rule.oval.id": "oval:mil.disa.stig.adobe.reader:def:10", + "benchmark.generated_utc": "1664376309000", + "host.oem.manufacturer": "", + "host.os.description": "", + "script.current_duration": "10195.83", + "host.ipv6": "", + "script.current_time": "2023-09-25T05:03:27Z", + "host.hardware.bios.version": "6.00", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json new file mode 100644 index 00000000000..7016db7214e --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json @@ -0,0 +1,115 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:10.602964719Z", + "benchmark": { + "generated_utc": "1664376309000", + "hash": "858A198F20EB96D46BE795A24F17C19D25CEF91AA919E8D19A13A4E6AA65D667", + "id": "xccdf_mil.disa.stig_benchmark_Adobe_Acrobat_Reader_DC_Continuous_Track_STIG", + "name": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark", + "title": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark", + "version": "002.002" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "vulnerability", + "configuration" + ], + "ingested": "2023-10-05T13:48:10.602964719Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 564559, + "workgroup": "WORKGROUP" + }, + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP_xccdf_mil.disa.stig_rule_SV-213168r395811_rule_858A198F20EB96D46BE795A24F17C19D25CEF91AA919E8D19A13A4E6AA65D667", + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.adobe.reader:def:10", + "refid": "" + }, + "rule": { + "benchmark": { + "profile": { + "id": "none" + }, + "title": "Adobe Acrobat Reader DC Continuous Track STIG SCAP Benchmark" + }, + "finding_id": "V-213168", + "id": "xccdf_mil.disa.stig_rule_SV-213168r395811_rule", + "name": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.", + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.adobe.reader:def:10", + "refid": "" + }, + "result": "not applicable", + "severity": "medium", + "stig_id": "ARDC-CN-000005", + "title": "Adobe Reader DC must enable Enhanced Security in a Standalone Application.", + "vulnerability_id": "SV-79409", + "weight": 10.0 + }, + "script": { + "current_duration": 10195.83, + "current_time": "2023-09-25T05:03:27Z", + "name": "Invoke-TychonStigBenchmarkScan.ps1", + "start": "2023-09-25T05:03:17Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_stig/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..9d64e35f110 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/agent/stream/stream.yml.hbs @@ -0,0 +1,22 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..2bf85b3687b --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,78 @@ +--- +description: Pipeline for parsing TYCHON STIGs +processors: + - dot_expander: + field: "*" + - set: + field: '@timestamp' + value: '{{_ingest.timestamp}}' + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" + field: rule.result + value: '{{rule.test_result}}' + - remove: + if: "ctx.containsKey('rule') && ctx.rule.containsKey('test_result')" + field: rule.test_result + - set: + field: ecs.version + value: '8.8.0' + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - set: + field: event.category + value: [vulnerability, configuration] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true + - convert: + field: rule.weight + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/fields/agent.yml b/packages/tychon/data_stream/tychon_stig/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml b/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_stig/fields/ecs.yml b/packages/tychon/data_stream/tychon_stig/fields/ecs.yml new file mode 100644 index 00000000000..df5124f8039 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/fields/ecs.yml @@ -0,0 +1,84 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.build_version +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: rule.id +- external: ecs + name: rule.name +- external: ecs + name: tags diff --git a/packages/tychon/data_stream/tychon_stig/fields/fields.yml b/packages/tychon/data_stream/tychon_stig/fields/fields.yml new file mode 100644 index 00000000000..439e6124a63 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/fields/fields.yml @@ -0,0 +1,84 @@ +- name: benchmark + type: group + fields: + - name: generated_utc + description: Benchmark UTC. + type: date + - name: hash + description: Benchmark SHA256 Hash + type: keyword + - name: id + description: Benchmark ID. + type: keyword + - name: name + description: Benchmark Name. + type: keyword + - name: title + description: Benchmark Title. + type: keyword + - name: version + description: Benchmark Version. + type: keyword +- name: oval + type: group + fields: + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Rule Reference Identifier. + type: keyword +- name: rule + type: group + fields: + - name: benchmark + type: group + fields: + - name: profile + type: group + fields: + - name: id + description: Benchmark Rule Profile Identifier. + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: finding_id + description: Benchmark Rule Finding Identifier. + type: keyword + - name: oval + type: group + fields: + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Reference Identifier. + type: keyword + - name: result + description: Benchmark Rule Results. + type: keyword + - name: severity + description: Benchmark Severity Status. + type: keyword + - name: stig_id + description: Stig rule id + type: keyword + - name: test_result + description: Rule Test Result. + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: vulnerability_id + description: Rule vulnerability id. + type: keyword + - name: weight + description: Benchmark Rule Weight. + type: float diff --git a/packages/tychon/data_stream/tychon_stig/manifest.yml b/packages/tychon/data_stream/tychon_stig/manifest.yml new file mode 100644 index 00000000000..57e4a736836 --- /dev/null +++ b/packages/tychon/data_stream/tychon_stig/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint STIG Results +type: logs +streams: + - input: logfile + title: Endpoint STIG Results + description: Endpoint Benchmark SCAP/XCCDF Scan Results + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON STIG Results Output + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_stig_info.json + - /var/log/tychoncloud/eventlogs/tychon_stig_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-stig-info + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json new file mode 100644 index 00000000000..8af415927e9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json @@ -0,0 +1,61 @@ +{ + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "volume.file_system": "NTFS", + "volume.serial_number": "1591285579", + "volume.size": "52424704", + "script.type": "powershell", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "host.hostname": "BOTANYBAYEP1", + "host.hardware.manufacturer": "VMware, Inc.", + "script.start": "2023-09-25T21:04:42Z", + "host.os.name": "Microsoft Windows 10 Pro", + "host.hardware.owner": "admin", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "volume.dos_device_path": "\\Device\\HarddiskVolume1", + "host.os.organization": "", + "volume.block_size": "4096", + "host.workgroup": "WORKGROUP", + "host.ipv4": "10.1.9.51", + "host.os.version": "2009", + "volume.drive.type": "3", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "volume.freespace": "18493440", + "volume.drive.letter": "", + "volume.power_management_supported": "false", + "volume.purpose": "", + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "volume.dirty_bit_set": "false", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "volume.id": "\\\\?\\Volume{2d47d57f-0000-0000-0000-100000000000}\\", + "volume.automount": "true", + "host.oem.model": "", + "host.uptime": "622244.0713174", + "id": "10aa4446888ff52f03574182167ec9bd7e8e1454", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "script.name": "Get-TychonVolumeInfo.ps1", + "script.version": "2.3.141.0", + "volume.page_file_present": "false", + "host.oem.manufacturer": "", + "host.os.description": "", + "volume.percent_full": "64.72", + "script.current_duration": "6931.80", + "host.ipv6": "", + "script.current_time": "2023-09-25T21:04:49Z", + "host.hardware.bios.version": "6.00", + "volume.name": "\\\\?\\Volume{2d47d57f-0000-0000-0000-100000000000}\\", + "volume.system_volume": "true", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-config.yml b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-config.yml new file mode 100644 index 00000000000..302199c74f9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-config.yml @@ -0,0 +1,3 @@ +dynamic_fields: + "@timestamp": ".*" + event.ingested: ".*" diff --git a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json new file mode 100644 index 00000000000..71ec1f6fdd6 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json @@ -0,0 +1,100 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-05T13:48:10.874308564Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "configuration" + ], + "ingested": "2023-10-05T13:48:10.874308564Z", + "kind": "state", + "module": "tychon", + "type": [ + "info" + ] + }, + "host": { + "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "cloud": { + "hosted": "false" + }, + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "admin", + "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3" + }, + "hostname": "BOTANYBAYEP1", + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "ip": [ + "10.1.9.51" + ], + "ipv4": [ + "10.1.9.51" + ], + "ipv6": "", + "mac": [ + "00-0C-29-93-6A-F3" + ], + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "19045", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 10 Pro", + "organization": "", + "version": "2009" + }, + "type": "Workstation", + "uptime": 622244, + "workgroup": "WORKGROUP" + }, + "id": "10aa4446888ff52f03574182167ec9bd7e8e1454", + "script": { + "current_duration": 6931.8, + "current_time": "2023-09-25T21:04:49Z", + "name": "Get-TychonVolumeInfo.ps1", + "start": "2023-09-25T21:04:42Z", + "type": "powershell", + "version": "2.3.141.0" + }, + "tychon": { + "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP" + }, + "volume": { + "automount": "true", + "block_size": 4096, + "dirty_bit_set": "false", + "dos_device_path": "\\Device\\HarddiskVolume1", + "drive": { + "letter": "", + "type": "3" + }, + "file_system": "NTFS", + "freespace": 18493440, + "id": "\\\\?\\Volume{2d47d57f-0000-0000-0000-100000000000}\\", + "name": "\\\\?\\Volume{2d47d57f-0000-0000-0000-100000000000}\\", + "page_file_present": "false", + "percent_full": 64.72, + "power_management_supported": "false", + "purpose": "", + "serial_number": "1591285579", + "size": 52424704, + "system_volume": "true" + } + } + ] +} \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs b/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..e39e88b253d --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +json: + keys_under_root: true + expand_keys: true \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..6a281c93c67 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,99 @@ +--- +description: Pipeline for TYCHON Volumes +processors: + - dot_expander: + field: "*" + - set: + field: "@timestamp" + value: "{{_ingest.timestamp}}" + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: 8.8.0 + - set: + field: event.kind + value: state + - set: + field: event.module + value: tychon + - gsub: + field: host.mac + pattern: ":" + replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true + - convert: + field: host.uptime + type: string + ignore_missing: true + - split: + field: host.uptime + separator: "\\.+" + target_field: tempuptime + ignore_failure: true + - set: + field: host.uptime + value: "{{tempuptime.0}}" + ignore_failure: true + - remove: + field: tempuptime + ignore_failure: true + ignore_missing: true + - set: + field: volume.block_size + value: 0 + if: ctx.volume.block_size == '' + - set: + field: volume.freespace + value: 0 + if: ctx.volume.freespace == '' + - set: + field: volume.percent_full + value: 100 + if: ctx.volume.percent_full == '' || ctx.volume.percent_full == 'NaN' + - set: + field: volume.size + value: 0 + if: ctx.volume.size == '' + - convert: + field: volume.block_size + type: long + ignore_missing: true + - convert: + field: volume.freespace + type: long + ignore_missing: true + - convert: + field: volume.percent_full + type: float + ignore_missing: true + - convert: + field: volume.size + type: long + ignore_missing: true + - convert: + field: host.uptime + type: long + ignore_missing: true + - set: + field: event.category + value: [configuration] + - set: + field: event.type + value: [info] + - convert: + field: script.current_duration + type: float + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/fields/agent.yml b/packages/tychon/data_stream/tychon_volume/fields/agent.yml new file mode 100644 index 00000000000..efacb477dd9 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: version +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: text + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/data_stream/tychon_volume/fields/base-fields.yml b/packages/tychon/data_stream/tychon_volume/fields/base-fields.yml new file mode 100644 index 00000000000..58d1699586e --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: input + type: group + fields: + - name: type + description: Input Type. + type: keyword +- name: log + type: group + fields: + - name: offset + description: Log Offset. + type: long diff --git a/packages/tychon/data_stream/tychon_volume/fields/ecs.yml b/packages/tychon/data_stream/tychon_volume/fields/ecs.yml new file mode 100644 index 00000000000..ddef4bf5542 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags diff --git a/packages/tychon/data_stream/tychon_volume/fields/fields.yml b/packages/tychon/data_stream/tychon_volume/fields/fields.yml new file mode 100644 index 00000000000..6fdf076eb63 --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/fields/fields.yml @@ -0,0 +1,57 @@ +- name: volume + type: group + fields: + - name: automount + description: Volume Automount. + type: boolean + - name: block_size + description: Volume Block Size. + type: long + - name: dirty_bit_set + description: Volume Dirty Bit Set. + type: boolean + - name: dos_device_path + description: Volume Dos Device Path. + type: text + - name: drive + type: group + fields: + - name: letter + description: Volume Drive Letter. + type: keyword + - name: type + description: Volume Drive Type. + type: keyword + - name: file_system + description: Volume File System. + type: keyword + - name: freespace + description: Volume Freespace. + type: long + - name: id + description: Volume Id. + type: keyword + - name: name + description: Volume Name. + type: keyword + - name: page_file_present + description: Volume Page File Present. + type: boolean + - name: percent_full + description: Volume Percent Full. + type: float + - name: power_management_supported + description: Volume Power Management Supported. + type: boolean + - name: purpose + description: Volume Purpose. + type: keyword + - name: serial_number + description: Volume Serial Number. + type: keyword + - name: size + description: Volume Size. + type: long + - name: system_volume + description: Volume System Volume. + type: boolean diff --git a/packages/tychon/data_stream/tychon_volume/manifest.yml b/packages/tychon/data_stream/tychon_volume/manifest.yml new file mode 100644 index 00000000000..2ec9dafba5d --- /dev/null +++ b/packages/tychon/data_stream/tychon_volume/manifest.yml @@ -0,0 +1,33 @@ +title: Endpoint Volumes Info +type: logs +streams: + - input: logfile + title: Endpoint Volumes Info + description: Endpoint Volumes Info + template_path: stream.yml.hbs + vars: + - name: paths + type: text + title: TYCHON Volumes Output + multi: true + required: true + show_user: true + default: + - C:\ProgramData\TYCHONCLOUD\eventlogs\tychon_volume_info.json + - /var/log/tychoncloud/eventlogs/tychon_volume_info.json + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - tychon-volume + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/tychon/docs/README.md b/packages/tychon/docs/README.md new file mode 100644 index 00000000000..ec787c21055 --- /dev/null +++ b/packages/tychon/docs/README.md @@ -0,0 +1,1166 @@ +# TYCHON Agentless + +[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source Master Endpoint Record data from endpoints, including vulnerability and STIG results, without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) + +## Compatibility + +* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems. +* This integration requires a TYCHON Agentless license. +* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files. +* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data. +* This integration supports Elastic 8.8+. + +## Returned Data Fields +### ARP Table Information + +TYCHON scans Endpoint ARP Tables and returns the results. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| destination.hostname | The Translated Hostname of the IP in the ARP Table | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.name | | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.interface | The interface the ARP Table has associated the destination. | keyword | +| network.state | Current state | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Vulnerablities + +TYCHON scans for Endpoint CPU's and returns the results. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.cpu.caption | Host Cpu Caption. | text | +| host.cpu.clockspeed | Host Cpu Clockspeed. | long | +| host.cpu.family | Host Cpu Family. | keyword | +| host.cpu.manufacturer | Host Cpu Manufacturer. | keyword | +| host.cpu.name | Host Cpu Name. | keyword | +| host.cpu.number_of_cores | Host Cpu Number Of Cores. | integer | +| host.cpu.number_of_logical_processors | Host Cpu Number Of Logical Processors. | integer | +| host.cpu.speed | Host Cpu Speed. | long | +| host.cpu.virtualization_firmware_enabled | Host Cpu Virtualization Firmware Enabled. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Vulnerablities + +TYCHON scans for Endpoint vulnerablities and returns the results. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | +| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | +| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | +| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | +| vulnerability.due_date | Vulnerability Due Date. | date | +| vulnerability.due_date_reason | Vulnerability Due Date Reason. | keyword | +| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | +| vulnerability.iava | Vulnerability Iava. | keyword | +| vulnerability.iava_severity | Vulnerability Iava Severity. | keyword | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | +| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | +| vulnerability.result | Vulnerability Result. | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| vulnerability.title | Vulnerability Title. | keyword | +| vulnerability.version | Vulnerability Version. | keyword | +| vulnerability.year | Vulnerability Year. | integer | + + +### Endpoint Protection Platform + +TYCHON scans the Endpoint's Windows Defender and returns protection status and version details. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| crowdstrike.service.falcon.signature_version | Crowdstrike Service Falcon Signature Version. | keyword | +| crowdstrike.service.falcon.status | Crowdstrike Service Falcon Status. | keyword | +| crowdstrike.service.falcon.version | Crowdstrike Service Falcon Version. | version | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic.service.agent.status | Elastic Service Agent Status. | keyword | +| elastic.service.agent.version | Elastic Service Agent Version. | version | +| elastic.service.endpoint.behavior_protection | Elastic Service Endpoint Behavior Protection. | keyword | +| elastic.service.endpoint.malware | Elastic Service Endpoint Malware. | keyword | +| elastic.service.endpoint.memory_protection | Elastic Service Endpoint Memory Protection. | keyword | +| elastic.service.endpoint.ransomware | Elastic Service Endpoint Ransomware. | keyword | +| elastic.service.endpoint.status | Elastic Service Endpoint Status. | keyword | +| elastic.service.endpoint.version | Elastic Service Endpoint Version. | version | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | +| package.description | Description of the package. | keyword | +| package.name | Package name | keyword | +| package.reference | Home page or reference URL of the software in this package, if available. | keyword | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| trellix.service.accm.status | Trellix Service Accm Status. | keyword | +| trellix.service.accm.version | Trellix Service Accm Version. | version | +| trellix.service.dlp.status | Trellix Service Dlp Status. | keyword | +| trellix.service.dlp.version | Trellix Service Dlp Version. | version | +| trellix.service.ens.signature_version | Trellix Service Ens Signature Version. | keyword | +| trellix.service.ens.status | Trellix Service Ens Status. | keyword | +| trellix.service.ens.version | Trellix Service Ens Version. | version | +| trellix.service.ma.status | Trellix Service Ma Status. | keyword | +| trellix.service.ma.version | Trellix Service Ma Version. | version | +| trellix.service.pa.status | Trellix Service Pa Status. | keyword | +| trellix.service.pa.version | Trellix Service Pa Version. | version | +| trellix.service.rsd.status | Trellix Service Rsd Status. | keyword | +| trellix.service.rsd.version | Trellix Service Rsd Version. | version | +| tychon.id | TYCHON unique host identifier. | keyword | +| windows_defender.service.antimalware.engine_version | Windows Defender Service Antimalware Engine Version. | keyword | +| windows_defender.service.antimalware.product_version | Windows Defender Service Antimalware Product Version. | keyword | +| windows_defender.service.antimalware.signature_version | Windows Defender Service Antimalware Signature Version. | keyword | +| windows_defender.service.antimalware.status | Windows Defender Service Antimalware Status. | keyword | +| windows_defender.service.antispyware.signature_version | Windows Defender Service Antispyware Signature Version. | keyword | +| windows_defender.service.antispyware.status | Windows Defender Service Antispyware Status. | keyword | +| windows_defender.service.antivirus.full_scan.signature_version | Windows Defender Service Antivirus Full Scan Signature Version. | keyword | +| windows_defender.service.antivirus.quick_scan.signature_version | Windows Defender Service Antivirus Quick Scan Signature Version. | keyword | +| windows_defender.service.antivirus.status | Windows Defender Service Antivirus Status. | keyword | +| windows_defender.service.behavior_monitor.status | Windows Defender Service Behavior Monitor Status. | keyword | +| windows_defender.service.ioav_protection.status | Windows Defender Service Ioav Protection Status. | keyword | +| windows_defender.service.nis.engine_version | Windows Defender Service Nis Engine Version. | keyword | +| windows_defender.service.nis.signature_version | Windows Defender Service Nis Signature Version. | keyword | +| windows_defender.service.nis.status | Windows Defender Service Nis Status. | keyword | +| windows_defender.service.on_access_protection.status | Windows Defender Service On Access Protection Status. | keyword | +| windows_defender.service.real_time_protection.status | Windows Defender Service Real Time Protection Status. | keyword | + + +### Endpoint Exposed Services Information + +The TYCHON script to scan Endpoint Exposed Services and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| device.name | Device Name. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.user.name | Short name or login of the user. | keyword | +| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| service.description | The description text on the service. | keyword | +| service.display_name | The human readable name of the service | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.state | Current state of the service. | keyword | +| service.status | Service Status. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### Endpoint Hard Drive Information + +The TYCHON script scans an endpoint's Hard Drive Configurations and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| disk.adapter.serial_number | Disk Adapter Serial Number | keyword | +| disk.boot_from | OS booted from this disk | boolean | +| disk.bus_type | The Disk Bus Type | keyword | +| disk.clustered | Is the Disk Clustered | boolean | +| disk.firmware_version | Disk Firmware version | keyword | +| disk.health_status | Health status of the disk | keyword | +| disk.highly_available | Disk is marked as highly available | boolean | +| disk.id | Disk ID | keyword | +| disk.is_boot | Disk is a boot disk | boolean | +| disk.location.adapter | Zero index adapter location | integer | +| disk.location.bus | Disk Bus Location | integer | +| disk.location.device | Disk Device Location | integer | +| disk.location.function | Disk Function Location | integer | +| disk.location.pci_slot | PCI Slot location | integer | +| disk.manufacturer | The manufacturer of the Disk | keyword | +| disk.model | The model of the disk | keyword | +| disk.name | The friendly name of the disk | keyword | +| disk.number | The number assigned to the disk | integer | +| disk.number_of_partitions | Total number of partitions on the drive | integer | +| disk.offline | Is the disk offline | boolean | +| disk.operational_status | Operational Status of the disk | keyword | +| disk.partition_style | Partition style | keyword | +| disk.serial_number | The unique serial number of the drive | keyword | +| disk.size | Total Size of the disk | long | +| disk.system | Is this a system drive | boolean | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Endpoint Hardware Information + +The TYCHON script scans an endpoint's Hardware Configurations and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| device.class | Device Class. | keyword | +| device.description | Device Description. | text | +| device.friendly_name | Device Friendly Name. | keyword | +| device.id | The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. | keyword | +| device.manufacturer | The vendor name of the device manufacturer. | keyword | +| device.model.name | The human readable marketing name of the device model. | keyword | +| device.name | Device Name. | keyword | +| device.present | Device Present. | boolean | +| device.status | Device Status. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Endpoint Host OS Information + +The TYCHON script scans an endpoint's OS Configurations and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.deviceguard.basevirtualizationsupport.available | Event Deviceguard Basevirtualizationsupport Available. | boolean | +| event.deviceguard.credentialguard.enabled | Event Deviceguard Credentialguard Enabled. | boolean | +| event.deviceguard.credentialguard.running | Event Deviceguard Credentialguard Running. | boolean | +| event.deviceguard.dmaprotection.available | Event Deviceguard Dmaprotection Available. | boolean | +| event.deviceguard.hypervisorenforcedcodeint.enabled | Event Deviceguard Hypervisorenforcedcodeint Enabled. | boolean | +| event.deviceguard.hypervisorenforcedcodeint.running | Event Deviceguard Hypervisorenforcedcodeint Running. | boolean | +| event.deviceguard.secureboot.available | Event Deviceguard Secureboot Available. | boolean | +| event.deviceguard.securememoverwrite.available | Event Deviceguard Securememoverwrite Available. | boolean | +| event.deviceguard.smmsecuritymigrations.available | Event Deviceguard Smmsecuritymigrations Available. | boolean | +| event.deviceguard.systemguardsecurelaunch.enabled | Event Deviceguard Systemguardsecurelaunch Enabled. | boolean | +| event.deviceguard.systemguardsecurelaunch.running | Event Deviceguard Systemguardsecurelaunch Running. | boolean | +| event.deviceguard.ueficodereadonly.available | Event Deviceguard Ueficodereadonly Available. | boolean | +| event.deviceguard.usermodecodeintegrity.policyenforcement | Event Deviceguard Usermodecodeintegrity Policyenforcement. | keyword | +| event.deviceguard.version | Event Deviceguard Version. | keyword | +| event.deviceguard.virtualizationbasedsecurity.status | Event Deviceguard Virtualizationbasedsecurity Status. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.ufi.enabled | Event Ufi Enabled. | boolean | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.cloud.compute.name | Host Cloud Compute Name. | keyword | +| host.cloud.compute.resource_group_name | Host Cloud Compute Resource Group Name. | keyword | +| host.cloud.compute.resource_id | Host Cloud Compute Resource Id. | keyword | +| host.cloud.compute.subscription_id | Host Cloud Compute Subscription Id. | keyword | +| host.cloud.compute.tags | Host Cloud Compute Tags. | keyword | +| host.cloud.compute.vm_id | Host Cloud Compute Vm Id. | keyword | +| host.cloud.hosted | Host Cloud Hosted. | boolean | +| host.cloud.network.mac_address | Host Cloud Network Mac Address. | keyword | +| host.cloud.network.public_ipv4 | Host Cloud Network Public Ipv4. | ip | +| host.cloud.network.public_ipv6 | Host Cloud Network Public Ipv6. | ip | +| host.compute.location | Host Compute Location. | keyword | +| host.cpu.caption | Host Cpu Caption. | text | +| host.cpu.count | Host Cpu Count. | integer | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.memory.size | Host Memory Size. | long | +| host.motherboard.chipset | Host Motherboard Chipset. | keyword | +| host.motherboard.serial_number | Host Motherboard Serial Number. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.edition | Host Os Edition. | keyword | +| host.os.extended_support_license | Host Os Extended Support License. | keyword | +| host.os.extended_support_license_expiration | Host Os Extended Support License Expiration. | date | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.suportted_plan | Host Os Suportted Plan. | keyword | +| host.os.vendor | Host Os Vendor. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.security.antivirus.exists | Host Security Antivirus Exists. | boolean | +| host.security.antivirus.name | Host Security Antivirus Name. | keyword | +| host.security.antivirus.state | Host Security Antivirus State. | keyword | +| host.security.antivirus.status | Host Security Antivirus Status. | keyword | +| host.tpm.compliant | Host Tpm Compliant. | boolean | +| host.tpm.digest.id | Host Tpm Digest Id. | keyword | +| host.tpm.present | Host Tpm Present. | boolean | +| host.tpm.version | Host Tpm Version. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.virtualization_status | Host Virtualization Status. | keyword | +| host.virtulization_status | Host Virtulization Status. | keyword | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tychon.definition.oval | Tychon Definition Oval. | date | +| tychon.definition.stig | Tychon Definition Stig. | date | +| tychon.id | TYCHON unique host identifier. | keyword | +| tychon.version.agent | Tychon Version Agent. | version | +| tychon.version.content | Tychon Version Content. | version | + + +### Endpoint Network Adapters Information + +The TYCHON script scans an endpoint's Network Adapter Configurations and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| host.adapter.alias | The Alias given to this adapter | keyword | +| host.adapter.description | The network adapter description | text | +| host.adapter.dhcp.enabled | Is DHCP Enabled on this adapter | boolean | +| host.adapter.dhcp.lease_expires | When does this DHCP lease expire | date | +| host.adapter.dhcp.lease_obtained | When was the DHCP lease obtained | date | +| host.adapter.dhcp.server | What IP Address was the DHCP IP obtained from. | ip | +| host.adapter.domain | What domain was assigned to this adapter | text | +| host.adapter.driver.date | Date the driver was installed | date | +| host.adapter.driver.description | Description of the driver | text | +| host.adapter.driver.file_name | Driver File name | keyword | +| host.adapter.driver.name | Name of the driver | keyword | +| host.adapter.driver.provider | Company that provided the driver | keyword | +| host.adapter.driver.version | Version of the driver | keyword | +| host.adapter.gateway | Gateway IP Address | ip | +| host.adapter.id | ID Of the adapter | keyword | +| host.adapter.ip | IP Addresses assigned to the adapter | ip | +| host.adapter.ip_filter.enabled | Is IP Filtering Enabled | boolean | +| host.adapter.link_speed | Link speed of the adapter | long | +| host.adapter.mac | Hardware MAC Address | keyword | +| host.adapter.media.connection_state | Current Connection State | keyword | +| host.adapter.media.type | Current Connection Media Type | keyword | +| host.adapter.mtu | MTU Size | integer | +| host.adapter.ndis.version | NDIS Version | keyword | +| host.adapter.subnet_bit | Subnet BIT | integer | +| host.adapter.virtual | Is adapter virtual | boolean | +| host.adapter.vlan.id | The VLAN ID | keyword | +| host.adapter.wifi.authentication | The Authentication method used to connected to the WIFI Router | keyword | +| host.adapter.wifi.band | The band used to connected to the WIFI Router | keyword | +| host.adapter.wifi.bssid | The Connected WIFI Router Hardware Address | keyword | +| host.adapter.wifi.channel | The channel used to connected to the WIFI Router | keyword | +| host.adapter.wifi.cipher | The CIPHER used to connected to the WIFI Router | keyword | +| host.adapter.wifi.enabled | Is WIFI Enabled | boolean | +| host.adapter.wifi.radio_type | The radio type of the connected WIFI Router | keyword | +| host.adapter.wifi.signal_percent | Signal strength to connected WIFI Router | integer | +| host.adapter.wifi.ssid | The Connected WIFI Router SSID | keyword | +| host.adapter.wins_server | The WINS Server attached to this adapter | ip | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Endpoint Software Inventory Information + +The TYCHON script scans an endpoint's Software Inventory and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| package.architecture | Package architecture. | keyword | +| package.cpe | Package Cpe. | keyword | +| package.description | Description of the package. | keyword | +| package.id | Package Id. | keyword | +| package.installed | Time when package was installed. | date | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.publisher | Package Publisher. | keyword | +| package.size | Package size in bytes. | long | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| package.uninstall | Package Uninstall. | text | +| package.version | Package version | keyword | +| package.version_build | Package Version Build. | integer | +| package.version_major | Package Version Major. | integer | +| package.version_minor | Package Version Minor. | integer | +| package.version_release | Package Version Release. | integer | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Endpoint STIG Information + +The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| benchmark.generated_utc | Benchmark UTC. | date | +| benchmark.hash | Benchmark SHA256 Hash | keyword | +| benchmark.id | Benchmark ID. | keyword | +| benchmark.name | Benchmark Name. | keyword | +| benchmark.title | Benchmark Title. | keyword | +| benchmark.version | Benchmark Version. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| oval.class | Open Vulnerabilities and Assessment Language Class. | keyword | +| oval.id | Open Vulnerabilities and Assessment Language Identifier. | keyword | +| oval.refid | Open Vulnerabilities and Assessment Language Rule Reference Identifier. | keyword | +| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | +| package.description | Description of the package. | keyword | +| package.name | Package name | keyword | +| package.reference | Home page or reference URL of the software in this package, if available. | keyword | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| rule.benchmark.profile.id | Benchmark Rule Profile Identifier. | keyword | +| rule.benchmark.title | Benchmark Rule Title. | keyword | +| rule.finding_id | Benchmark Rule Finding Identifier. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.oval.class | Open Vulnerabilities and Assessment Language Class. | keyword | +| rule.oval.id | Open Vulnerabilities and Assessment Language Identifier. | keyword | +| rule.oval.refid | Open Vulnerabilities and Assessment Language Reference Identifier. | keyword | +| rule.result | Benchmark Rule Results. | keyword | +| rule.severity | Benchmark Severity Status. | keyword | +| rule.stig_id | Stig rule id | keyword | +| rule.test_result | Rule Test Result. | keyword | +| rule.title | Benchmark Rule Title. | keyword | +| rule.vulnerability_id | Rule vulnerability id. | keyword | +| rule.weight | Benchmark Rule Weight. | float | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | + + +### Endpoint Volume Information + +The TYCHON script scans an endpoint's Volume Configurations and returns information. + +**Exported fields** +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic_agent.id | Elastic Agent Id. | keyword | +| elastic_agent.snapshot | Elastic Agent snapshot. | boolean | +| elastic_agent.version | Elastic Agent Version. | keyword | +| error.message | Error message. | match_only_text | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.biossn | Host BIOS Serial Number. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hardware.bios.name | Host BIOS Name. | keyword | +| host.hardware.bios.version | Host BIOS Version. | keyword | +| host.hardware.cpu.caption | Host CPU Caption. | keyword | +| host.hardware.manufacturer | Host BIOS Manufacturer. | keyword | +| host.hardware.owner | Host BIOS Owner. | keyword | +| host.hardware.serial_number | Host BIOS Serial Number. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.ipv4 | Host IPv4 addresses. | ip | +| host.ipv6 | Host IPv6 addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | +| host.oem.manufacturer | Host OEM Manufacturer. | keyword | +| host.oem.model | Host OEM Model. | keyword | +| host.os.build | Host OS Build. | keyword | +| host.os.description | Host OS Description. | text | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.organization | Host OS Organization. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.workgroup | Host Workgroup Network Name. | keyword | +| id | TYCHON unique document identifier. | keyword | +| input.type | Input Type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log Offset. | long | +| script.current_duration | Scanner Script Duration. | long | +| script.current_time | Current datetime. | date | +| script.name | Scanner Script Name. | keyword | +| script.start | Scanner Start datetime. | date | +| script.type | Scanner Script Type. | keyword | +| script.version | Scanner Script Version. | version | +| tags | List of keywords used to tag each event. | keyword | +| tychon.id | TYCHON unique host identifier. | keyword | +| volume.automount | Volume Automount. | boolean | +| volume.block_size | Volume Block Size. | long | +| volume.dirty_bit_set | Volume Dirty Bit Set. | boolean | +| volume.dos_device_path | Volume Dos Device Path. | text | +| volume.drive.letter | Volume Drive Letter. | keyword | +| volume.drive.type | Volume Drive Type. | keyword | +| volume.file_system | Volume File System. | keyword | +| volume.freespace | Volume Freespace. | long | +| volume.id | Volume Id. | keyword | +| volume.name | Volume Name. | keyword | +| volume.page_file_present | Volume Page File Present. | boolean | +| volume.percent_full | Volume Percent Full. | float | +| volume.power_management_supported | Volume Power Management Supported. | boolean | +| volume.purpose | Volume Purpose. | keyword | +| volume.serial_number | Volume Serial Number. | keyword | +| volume.size | Volume Size. | long | +| volume.system_volume | Volume System Volume. | boolean | + diff --git a/packages/tychon/elasticsearch/transform/arp/fields/agent.yml b/packages/tychon/elasticsearch/transform/arp/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/arp/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/arp/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml new file mode 100644 index 00000000000..c4741ffc810 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/fields/ecs.yml @@ -0,0 +1,78 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: destination.ip +- external: ecs + name: destination.mac +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: network.direction +- external: ecs + name: network.type +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/arp/fields/fields.yml b/packages/tychon/elasticsearch/transform/arp/fields/fields.yml new file mode 100644 index 00000000000..6ee09956138 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/fields/fields.yml @@ -0,0 +1,8 @@ +- name: destination.hostname + type: keyword +- name: destination.name + type: keyword +- name: network.interface + type: keyword +- name: network.state + type: keyword diff --git a/packages/tychon/elasticsearch/transform/arp/manifest.yml b/packages/tychon/elasticsearch/transform/arp/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/arp/transform.yml b/packages/tychon/elasticsearch/transform/arp/transform.yml new file mode 100644 index 00000000000..f67a6a29fb6 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/arp/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_arp-* +dest: + index: tychon_arp +frequency: 1h +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ARP tables look like on an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/agent.yml b/packages/tychon/elasticsearch/transform/cpu/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cpu/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml new file mode 100644 index 00000000000..ff1f0be95fe --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/cpu/fields/fields.yml b/packages/tychon/elasticsearch/transform/cpu/fields/fields.yml new file mode 100644 index 00000000000..eb728cc9162 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/fields/fields.yml @@ -0,0 +1,18 @@ +- name: host.cpu.caption + type: text +- name: host.cpu.clockspeed + type: long +- name: host.cpu.family + type: keyword +- name: host.cpu.manufacturer + type: keyword +- name: host.cpu.name + type: keyword +- name: host.cpu.number_of_cores + type: integer +- name: host.cpu.number_of_logical_processors + type: integer +- name: host.cpu.speed + type: long +- name: host.cpu.virtualization_firmware_enabled + type: boolean diff --git a/packages/tychon/elasticsearch/transform/cpu/manifest.yml b/packages/tychon/elasticsearch/transform/cpu/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cpu/transform.yml b/packages/tychon/elasticsearch/transform/cpu/transform.yml new file mode 100644 index 00000000000..6c11d28d2de --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cpu/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_cpu-* +dest: + index: tychon_cpu +frequency: 1h +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint cpu information from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml new file mode 100644 index 00000000000..e5104b41dff --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/fields/fields.yml @@ -0,0 +1,70 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + format: "strict_date_optional_time||epoch_millis||date||\"MM/dd/yyyy\"" + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml b/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_linux/transform.yml b/packages/tychon/elasticsearch/transform/cve_linux/transform.yml new file mode 100644 index 00000000000..ec804d02a8e --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_linux/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + host.os.type: "linux" + - match_phrase: + event.kind: "state" +dest: + index: tychon_cve-linux +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.6 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what LINUX based vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2019/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_2019/transform.yml new file mode 100644 index 00000000000..cbb6a586d8b --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2019/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + vulnerability.year: 2019 + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_cve-2019_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2019 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2020/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_2020/transform.yml new file mode 100644 index 00000000000..eb95307c81f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2020/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + vulnerability.year: 2020 + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_cve-2020_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2020 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2021/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_2021/transform.yml new file mode 100644 index 00000000000..03456181e79 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2021/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + vulnerability.year: 2021 + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_cve-2021_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2021 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2022/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_2022/transform.yml new file mode 100644 index 00000000000..bf43689b263 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2022/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + vulnerability.year: 2022 + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_cve-2022_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2023 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_2023/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_2023/transform.yml new file mode 100644 index 00000000000..e62c372c8bc --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_2023/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match_phrase: + vulnerability.year: 2023 + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_cve-2023_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2023 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/agent.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/ecs.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/ecs.yml new file mode 100644 index 00000000000..31ba2470b1f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.outcome +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: vulnerability.category +- external: ecs + name: vulnerability.classification +- external: ecs + name: vulnerability.description +- external: ecs + name: vulnerability.enumeration +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.reference +- external: ecs + name: vulnerability.scanner.vendor +- external: ecs + name: vulnerability.score.version +- external: ecs + name: vulnerability.severity diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/fields.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/fields.yml new file mode 100644 index 00000000000..2e5ad842973 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/fields/fields.yml @@ -0,0 +1,69 @@ +- name: id + description: Tychon Unique Vulnerability Id. + type: keyword +- name: vulnerability + type: group + fields: + - name: definition + description: National Vulnerability Database Vulnerability Definition. + type: keyword + - name: due_date + description: Vulnerability Due Date. + type: date + - name: due_date_reason + description: Vulnerability Due Date Reason + type: keyword + - name: iava + description: Information Assurance Vulneraiblity Alert Identifier. + type: keyword + - name: iava_severity + description: Information Assurance Vulnerability Alert Severity. + type: keyword + - name: result + description: Pass/Fail Outcome of the Common Vulnerabilities and Exposures Scan. + type: keyword + - name: score.base + description: National Vulnerability Database Score of the Vulnerabilty. + type: float + - name: title + description: Common Vulnerabilities and Exposures Description and Title. + type: keyword + - name: version + description: Version Number of the Scan. + type: keyword + - name: year + description: Common Vulnerabilities and Exposures Year. + type: long +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/manifest.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/cve_windows_20xx/transform.yml b/packages/tychon/elasticsearch/transform/cve_windows_20xx/transform.yml new file mode 100644 index 00000000000..5d561c71eb3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/cve_windows_20xx/transform.yml @@ -0,0 +1,27 @@ +source: + index: + - logs-tychon.tychon_cve-* + query: + bool: + must: + - match: + host.os.family: "windows" + - range: + vulnerability.year: + lte: 2018 +dest: + index: tychon_cve-20xx_windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows 2019 vulnerablility results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/epp/fields/agent.yml b/packages/tychon/elasticsearch/transform/epp/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/epp/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/epp/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml new file mode 100644 index 00000000000..05e44a34ee0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/fields/ecs.yml @@ -0,0 +1,52 @@ +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: package.build_version +- external: ecs + name: event.kind +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: event.ingested +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.dataset +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform diff --git a/packages/tychon/elasticsearch/transform/epp/fields/fields.yml b/packages/tychon/elasticsearch/transform/epp/fields/fields.yml new file mode 100644 index 00000000000..4b80ceabc31 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/fields/fields.yml @@ -0,0 +1,109 @@ +- name: id + description: TYCHON Unique Idnentifier of the Common Vulnerabilities and Exposures Result for the Endpoint. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Current Scanner Script Duration. + type: long + - name: current_time + description: Current Script datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: windows_defender + group: 2 + type: group + fields: + - name: service + type: group + fields: + - name: behavior_monitor.status + description: Windows Defender Behavior Monitor Status. + type: keyword + - name: ioav_protection.status + description: Windows Defender iOffice Antivirus Protection Status. + type: keyword + - name: on_access_protection.status + description: Windows Defender On Access Protection Status. + type: keyword + - name: real_time_protection.status + description: Windows Defender Real-time Procection Status. + type: keyword + - name: antimalware + type: group + fields: + - name: engine_version + description: Windows Defender Antimalware Engine Version. + type: keyword + - name: product_version + description: Windows Defender Antimalware Product Version. + type: keyword + - name: signature_version + description: Windows Defender Antimalware Signature Version. + type: keyword + - name: status + description: Windows Defender Antimalware Status. + type: keyword + - name: antispyware + type: group + fields: + - name: signature_version + description: Windows Defender Antispyware Signature Version. + type: keyword + - name: status + description: Windows Defender Antispyware Status. + type: keyword + - name: antivirus + type: group + fields: + - name: full_scan.signature_version + description: Windows Defender Antivirus Full Scan Version. + type: keyword + - name: quick_scan.signature_version + description: Windows Defender Antivirus Signature Version. + type: keyword + - name: status + description: Windows Defender Antivirus Status. + type: keyword + - name: nis + type: group + fields: + - name: engine_version + description: Windows Defender Network Inspection System Engine Version. + type: keyword + - name: signature_version + description: Windows Defender Network Inspection System Signature Version. + type: keyword + - name: status + description: Windows Defender Network Inspection System Status. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: host.epp.product + description: Epp products installed + type: keyword +- name: host.trellix.product + description: trellix products installed + type: keyword diff --git a/packages/tychon/elasticsearch/transform/epp/manifest.yml b/packages/tychon/elasticsearch/transform/epp/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/epp/transform.yml b/packages/tychon/elasticsearch/transform/epp/transform.yml new file mode 100644 index 00000000000..ea7835e54d6 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/epp/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_epp-* +dest: + index: tychon_epp +frequency: 1h +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint protetction status information from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/exposed_service/fields/agent.yml b/packages/tychon/elasticsearch/transform/exposed_service/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/exposed_service/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/exposed_service/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/exposed_service/fields/ecs.yml b/packages/tychon/elasticsearch/transform/exposed_service/fields/ecs.yml new file mode 100644 index 00000000000..a7dcf1323ac --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/fields/ecs.yml @@ -0,0 +1,94 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: network.transport +- external: ecs + name: process.command_line +- external: ecs + name: process.executable +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.user.name +- external: ecs + name: service.name +- external: ecs + name: service.state +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date +- name: process.start + type: date diff --git a/packages/tychon/elasticsearch/transform/exposed_service/fields/fields.yml b/packages/tychon/elasticsearch/transform/exposed_service/fields/fields.yml new file mode 100644 index 00000000000..0d2e4aef412 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/fields/fields.yml @@ -0,0 +1,6 @@ +- name: service.description + type: keyword +- name: service.display_name + type: keyword +- name: source.port + type: integer diff --git a/packages/tychon/elasticsearch/transform/exposed_service/manifest.yml b/packages/tychon/elasticsearch/transform/exposed_service/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/exposed_service/transform.yml b/packages/tychon/elasticsearch/transform/exposed_service/transform.yml new file mode 100644 index 00000000000..8c4cdb5c5d4 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/exposed_service/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_exposedservice-* +dest: + index: tychon_exposedservice +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ports are currently open an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/hard_drive/fields/agent.yml b/packages/tychon/elasticsearch/transform/hard_drive/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/hard_drive/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/hard_drive/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/hard_drive/fields/ecs.yml b/packages/tychon/elasticsearch/transform/hard_drive/fields/ecs.yml new file mode 100644 index 00000000000..ff1f0be95fe --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/hard_drive/fields/fields.yml b/packages/tychon/elasticsearch/transform/hard_drive/fields/fields.yml new file mode 100644 index 00000000000..89116cfd6ac --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/fields/fields.yml @@ -0,0 +1,50 @@ +- name: disk.adapter.serial_number + type: keyword +- name: disk.boot_from + type: boolean +- name: disk.bus_type + type: keyword +- name: disk.clustered + type: boolean +- name: disk.firmware.version + type: keyword +- name: disk.firmware_version + type: keyword +- name: disk.guid + type: keyword +- name: disk.health_status + type: keyword +- name: disk.highly_available + type: boolean +- name: disk.is_boot + type: boolean +- name: disk.location.adapter + type: integer +- name: disk.location.bus + type: integer +- name: disk.location.device + type: integer +- name: disk.location.function + type: integer +- name: disk.manufacturer + type: keyword +- name: disk.model + type: keyword +- name: disk.name + type: keyword +- name: disk.number + type: integer +- name: disk.number_of_partitions + type: integer +- name: disk.offline + type: boolean +- name: disk.operational_status + type: keyword +- name: disk.partition_style + type: keyword +- name: disk.serial_number + type: keyword +- name: disk.size + type: long +- name: disk.system + type: boolean diff --git a/packages/tychon/elasticsearch/transform/hard_drive/manifest.yml b/packages/tychon/elasticsearch/transform/hard_drive/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/hard_drive/transform.yml b/packages/tychon/elasticsearch/transform/hard_drive/transform.yml new file mode 100644 index 00000000000..8a784cee365 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hard_drive/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_harddrive-* +dest: + index: tychon_harddrive +frequency: 1h +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint hard-drive information from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/agent.yml b/packages/tychon/elasticsearch/transform/hardware/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/hardware/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml new file mode 100644 index 00000000000..27c34f615b8 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/fields/ecs.yml @@ -0,0 +1,74 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: device.id +- external: ecs + name: device.manufacturer +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/hardware/fields/fields.yml b/packages/tychon/elasticsearch/transform/hardware/fields/fields.yml new file mode 100644 index 00000000000..ff33e64dbab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/fields/fields.yml @@ -0,0 +1,12 @@ +- name: device.class + type: keyword +- name: device.description + type: keyword +- name: device.friendly_name + type: keyword +- name: device.name + type: keyword +- name: device.present + type: boolean +- name: device.status + type: keyword diff --git a/packages/tychon/elasticsearch/transform/hardware/manifest.yml b/packages/tychon/elasticsearch/transform/hardware/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/hardware/transform.yml b/packages/tychon/elasticsearch/transform/hardware/transform.yml new file mode 100644 index 00000000000..b566fbe7a19 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/hardware/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_hardware-* +dest: + index: tychon_hardware +frequency: 1m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint hardware information from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/host_info/fields/agent.yml b/packages/tychon/elasticsearch/transform/host_info/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/host_info/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/host_info/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/host_info/fields/ecs.yml b/packages/tychon/elasticsearch/transform/host_info/fields/ecs.yml new file mode 100644 index 00000000000..2be31038472 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/fields/ecs.yml @@ -0,0 +1,32 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.os.family +- external: ecs + name: host.os.name +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime diff --git a/packages/tychon/elasticsearch/transform/host_info/fields/fields.yml b/packages/tychon/elasticsearch/transform/host_info/fields/fields.yml new file mode 100644 index 00000000000..8a8e8a28231 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/fields/fields.yml @@ -0,0 +1,72 @@ +- name: event.deviceguard.basevirtualizationsupport.available + type: boolean +- name: event.deviceguard.credentialguard.enabled + type: boolean +- name: event.deviceguard.credentialguard.running + type: boolean +- name: event.deviceguard.dmaprotection.available + type: boolean +- name: event.deviceguard.hypervisorenforcedcodeint.enabled + type: boolean +- name: event.deviceguard.hypervisorenforcedcodeint.running + type: boolean +- name: event.deviceguard.secureboot.available + type: boolean +- name: event.deviceguard.securememoverwrite.available + type: boolean +- name: event.deviceguard.smmsecuritymigrations.available + type: boolean +- name: event.deviceguard.systemguardsecurelaunch.enabled + type: boolean +- name: event.deviceguard.systemguardsecurelaunch.running + type: boolean +- name: event.deviceguard.ueficodereadonly.available + type: boolean +- name: event.deviceguard.usermodecodeintegrity.policyenforcement + type: keyword +- name: event.deviceguard.version + type: keyword +- name: event.deviceguard.virtualizationbasedsecurity.status + type: keyword +- name: event.ufi.enabled + type: boolean +- name: host.cpu.caption + type: keyword +- name: host.cpu.count + type: integer +- name: host.memory.size + type: long +- name: host.motherboard.chipset + type: keyword +- name: host.motherboard.serial_number + type: keyword +- name: host.os.edition + type: keyword +- name: host.os.vendor + type: keyword +- name: host.security.antivirus.exists + type: boolean +- name: host.security.antivirus.name + type: keyword +- name: host.security.antivirus.state + type: keyword +- name: host.security.antivirus.status + type: keyword +- name: host.tpm.compliant + type: boolean +- name: host.tpm.digest.id + type: keyword +- name: host.tpm.present + type: boolean +- name: host.tpm.version + type: keyword +- name: host.virtualization_status + type: keyword +- name: tychon.definition.oval + type: date +- name: tychon.definition.stig + type: date +- name: tychon.version.agent + type: version +- name: tychon.version.content + type: version diff --git a/packages/tychon/elasticsearch/transform/host_info/manifest.yml b/packages/tychon/elasticsearch/transform/host_info/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/host_info/transform.yml b/packages/tychon/elasticsearch/transform/host_info/transform.yml new file mode 100644 index 00000000000..91d194ec972 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/host_info/transform.yml @@ -0,0 +1,19 @@ +source: + index: + - logs-tychon.tychon_host-* +dest: + index: tychon_host +frequency: 1h +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint Host/OS information from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/network_adapter/fields/agent.yml b/packages/tychon/elasticsearch/transform/network_adapter/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/network_adapter/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/network_adapter/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/network_adapter/fields/ecs.yml b/packages/tychon/elasticsearch/transform/network_adapter/fields/ecs.yml new file mode 100644 index 00000000000..684a278aafc --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- name: error.message + type: match_only_text +- external: ecs + name: event.agent_id_status +- name: event.ingested + type: date +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.os.family +- external: ecs + name: host.os.name +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime diff --git a/packages/tychon/elasticsearch/transform/network_adapter/fields/fields.yml b/packages/tychon/elasticsearch/transform/network_adapter/fields/fields.yml new file mode 100644 index 00000000000..5a69e18c631 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/fields/fields.yml @@ -0,0 +1,58 @@ +- name: host.adapter.alias + type: keyword +- name: host.adapter.description + type: text +- name: host.adapter.dhcp.enabled + type: boolean +- name: host.adapter.dhcp.lease_expires + type: date +- name: host.adapter.dhcp.lease_obtained + type: date +- name: host.adapter.dhcp.server + type: ip +- name: host.adapter.domain + type: keyword +- name: host.adapter.driver.date + type: date +- name: host.adapter.driver.description + type: text +- name: host.adapter.driver.file_name + type: keyword +- name: host.adapter.driver.name + type: keyword +- name: host.adapter.driver.provider + type: keyword +- name: host.adapter.driver.version + type: keyword +- name: host.adapter.gateway + type: ip +- name: host.adapter.id + type: keyword +- name: host.adapter.ip + type: ip +- name: host.adapter.ip_filter.enabled + type: boolean +- name: host.adapter.wins_server + type: keyword +- name: host.adapter.link_speed + type: long +- name: host.adapter.mac + type: keyword +- name: host.adapter.media.connection_state + type: keyword +- name: host.adapter.media.type + type: keyword +- name: host.adapter.mtu + type: integer +- name: host.adapter.ndis.version + type: keyword +- name: host.adapter.subnet_bit + type: integer +- name: host.adapter.virtual + type: boolean +- name: host.adapter.vlan.id + type: keyword +- name: host.adapter.wifi.enabled + type: boolean +- name: host.adapter.wifi.signal_percent + type: integer diff --git a/packages/tychon/elasticsearch/transform/network_adapter/manifest.yml b/packages/tychon/elasticsearch/transform/network_adapter/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/network_adapter/transform.yml b/packages/tychon/elasticsearch/transform/network_adapter/transform.yml new file mode 100644 index 00000000000..71e2648cddd --- /dev/null +++ b/packages/tychon/elasticsearch/transform/network_adapter/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_networkadapter-* + query: + bool: + must: + - exists: + field: "host.adapter.ip" + - match_phrase: + event.kind: "state" +dest: + index: tychon_networkadapter +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.5 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of endpoint Network Adapter Card information from TYCHON endpoints. diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/agent.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/ecs.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/ecs.yml new file mode 100644 index 00000000000..c56cb240566 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/ecs.yml @@ -0,0 +1,87 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.architecture +- external: ecs + name: package.description +- external: ecs + name: package.installed + ignore_malformed: true +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.type +- external: ecs + name: package.version +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/fields.yml new file mode 100644 index 00000000000..fec6c53f2e3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/fields/fields.yml @@ -0,0 +1,16 @@ +- name: package.uninstall + type: text +- name: package.cpe + type: keyword +- name: package.id + type: keyword +- name: package.publisher + type: keyword +- name: package.version_build + type: integer +- name: package.version_major + type: integer +- name: package.version_minor + type: integer +- name: package.version_release + type: integer diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/manifest.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/software_inventory_installer/transform.yml b/packages/tychon/elasticsearch/transform/software_inventory_installer/transform.yml new file mode 100644 index 00000000000..9bdd04203fa --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_installer/transform.yml @@ -0,0 +1,24 @@ +source: + index: + - logs-tychon.tychon_softwareinventory-* + query: + bool: + must: + - match_phrase: + package.type: "installer" +dest: + index: tychon_softwareinventory-installer +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ports are currently open an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml new file mode 100644 index 00000000000..c56cb240566 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/ecs.yml @@ -0,0 +1,87 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.architecture +- external: ecs + name: package.description +- external: ecs + name: package.installed + ignore_malformed: true +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.type +- external: ecs + name: package.version +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml new file mode 100644 index 00000000000..fec6c53f2e3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/fields/fields.yml @@ -0,0 +1,16 @@ +- name: package.uninstall + type: text +- name: package.cpe + type: keyword +- name: package.id + type: keyword +- name: package.publisher + type: keyword +- name: package.version_build + type: integer +- name: package.version_major + type: integer +- name: package.version_minor + type: integer +- name: package.version_release + type: integer diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml b/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml new file mode 100644 index 00000000000..ceef8eeaae3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_rpm/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_softwareinventory-* + query: + bool: + must: + - match_phrase: + package.type: "rpm" + - match_phrase: + event.kind: "state" +dest: + index: tychon_softwareinventory-rpm +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.5 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ports are currently open an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/fields/agent.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/fields/ecs.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/ecs.yml new file mode 100644 index 00000000000..c56cb240566 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/ecs.yml @@ -0,0 +1,87 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: package.architecture +- external: ecs + name: package.description +- external: ecs + name: package.installed + ignore_malformed: true +- external: ecs + name: package.name +- external: ecs + name: package.path +- external: ecs + name: package.size +- external: ecs + name: package.type +- external: ecs + name: package.version +- external: ecs + name: tags +- name: error.message + type: match_only_text +- name: event.ingested + type: date diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/fields/fields.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/fields.yml new file mode 100644 index 00000000000..fec6c53f2e3 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/fields/fields.yml @@ -0,0 +1,16 @@ +- name: package.uninstall + type: text +- name: package.cpe + type: keyword +- name: package.id + type: keyword +- name: package.publisher + type: keyword +- name: package.version_build + type: integer +- name: package.version_major + type: integer +- name: package.version_minor + type: integer +- name: package.version_release + type: integer diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/manifest.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/software_inventory_store/transform.yml b/packages/tychon/elasticsearch/transform/software_inventory_store/transform.yml new file mode 100644 index 00000000000..d985ad3617b --- /dev/null +++ b/packages/tychon/elasticsearch/transform/software_inventory_store/transform.yml @@ -0,0 +1,24 @@ +source: + index: + - logs-tychon.tychon_softwareinventory-* + query: + bool: + must: + - match_phrase: + package.type: "store" +dest: + index: tychon_softwareinventory-store +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what ports are currently open an endpoint from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/stig/fields/agent.yml b/packages/tychon/elasticsearch/transform/stig/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/stig/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml new file mode 100644 index 00000000000..7329d8fd21c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/fields/ecs.yml @@ -0,0 +1,54 @@ +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: package.build_version +- external: ecs + name: rule.name +- external: ecs + name: event.kind +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: event.ingested +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.dataset +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform diff --git a/packages/tychon/elasticsearch/transform/stig/fields/fields.yml b/packages/tychon/elasticsearch/transform/stig/fields/fields.yml new file mode 100644 index 00000000000..864e77b3f8f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/fields/fields.yml @@ -0,0 +1,126 @@ +- name: id + description: Tychon Unique Stig Id. + type: keyword +- name: benchmark + type: group + fields: + - name: guid + description: Benchmark GUID. + type: keyword + - name: generated_utc + description: Benchmark UTC. + type: keyword + - name: hash + description: Benchmark SHA256 Hash + type: keyword + - name: name + description: Benchmark Name. + type: keyword + - name: title + description: Benchmark Title. + type: keyword + - name: version + description: Benchmark Version. + type: keyword + - name: list + description: Benchmark Summary Name List. + type: keyword + - name: count + description: Benchmark Summary Name List Item Count. + type: long +- name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Rule Reference Identifier. + type: keyword +- name: rule + type: group + fields: + - name: id + description: Benchmark Rule Identifier. + type: keyword + - name: finding_id + description: Benchmark Rule Finding Identifier. + type: keyword + - name: result + description: Benchmark Rule Results. + type: keyword + - name: severity + description: Benchmark Severity Status. + type: keyword + - name: stig_id + description: Stig rule id + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: vulnerability_id + description: Rule vulnerability id. + type: keyword + - name: weight + description: Benchmark Rule Weight. + type: float + - name: benchmark + type: group + fields: + - name: guid + description: Benchmark Rule GUID. + type: keyword + - name: profile.id + description: Benchmark Rule Profile Identifier. + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Reference Identifier. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig/manifest.yml b/packages/tychon/elasticsearch/transform/stig/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/stig/transform.yml b/packages/tychon/elasticsearch/transform/stig/transform.yml new file mode 100644 index 00000000000..ece5e59e8b9 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig/transform.yml @@ -0,0 +1,24 @@ +source: + index: + - logs-tychon.tychon_stig-* + query: + bool: + must: + - match_phrase: + host.os.family: "windows" +dest: + index: tychon_stig-windows +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.3 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows STIG SCAP results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml new file mode 100644 index 00000000000..6dd345cff24 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/agent.yml @@ -0,0 +1,192 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + description: Unique host id. As hostname is not always unique, use values that are meaningful in your environment. + type: keyword + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: type + description: Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword + - name: uptime + description: Seconds the host has been up. + type: long + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: family + description: OS family (such as redhat, debian, freebsd, windows). + type: keyword + - name: name + description: Operating system name, without the version. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: version + description: Operating system version as a raw string. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml new file mode 100644 index 00000000000..44a26fd137a --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: keyword + description: Event module. +- name: '@timestamp' + description: Event timestamp. + type: date diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml new file mode 100644 index 00000000000..7329d8fd21c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/ecs.yml @@ -0,0 +1,54 @@ +- external: ecs + name: package.description +- external: ecs + name: package.name +- external: ecs + name: package.reference +- external: ecs + name: package.type +- external: ecs + name: package.build_version +- external: ecs + name: rule.name +- external: ecs + name: event.kind +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: event.ingested +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.dataset +- external: ecs + name: event.timezone +- external: ecs + name: error.message +- external: ecs + name: host.os.type +- external: ecs + name: log.file.path +- external: ecs + name: tags +- external: ecs + name: host.architecture +- external: ecs + name: host.name +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.platform diff --git a/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml b/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml new file mode 100644 index 00000000000..864e77b3f8f --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/fields/fields.yml @@ -0,0 +1,126 @@ +- name: id + description: Tychon Unique Stig Id. + type: keyword +- name: benchmark + type: group + fields: + - name: guid + description: Benchmark GUID. + type: keyword + - name: generated_utc + description: Benchmark UTC. + type: keyword + - name: hash + description: Benchmark SHA256 Hash + type: keyword + - name: name + description: Benchmark Name. + type: keyword + - name: title + description: Benchmark Title. + type: keyword + - name: version + description: Benchmark Version. + type: keyword + - name: list + description: Benchmark Summary Name List. + type: keyword + - name: count + description: Benchmark Summary Name List Item Count. + type: long +- name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Rule Reference Identifier. + type: keyword +- name: rule + type: group + fields: + - name: id + description: Benchmark Rule Identifier. + type: keyword + - name: finding_id + description: Benchmark Rule Finding Identifier. + type: keyword + - name: result + description: Benchmark Rule Results. + type: keyword + - name: severity + description: Benchmark Severity Status. + type: keyword + - name: stig_id + description: Stig rule id + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: vulnerability_id + description: Rule vulnerability id. + type: keyword + - name: weight + description: Benchmark Rule Weight. + type: float + - name: benchmark + type: group + fields: + - name: guid + description: Benchmark Rule GUID. + type: keyword + - name: profile.id + description: Benchmark Rule Profile Identifier. + type: keyword + - name: title + description: Benchmark Rule Title. + type: keyword + - name: oval + type: group + fields: + - name: id + description: Open Vulnerabilities and Assessment Language Identifier. + type: keyword + - name: class + description: Open Vulnerabilities and Assessment Language Class. + type: keyword + - name: refid + description: Open Vulnerabilities and Assessment Language Reference Identifier. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: long + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml b/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/stig_linux/transform.yml b/packages/tychon/elasticsearch/transform/stig_linux/transform.yml new file mode 100644 index 00000000000..fa423d73d67 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/stig_linux/transform.yml @@ -0,0 +1,26 @@ +source: + index: + - logs-tychon.tychon_stig-* + query: + bool: + must: + - match_phrase: + host.os.type: "linux" + - match_phrase: + event.kind: "state" +dest: + index: tychon_stig-linux +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.5 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what Windows STIG SCAP results are from TYCHON. diff --git a/packages/tychon/elasticsearch/transform/volume/fields/agent.yml b/packages/tychon/elasticsearch/transform/volume/fields/agent.yml new file mode 100644 index 00000000000..2f024c089ab --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/fields/agent.yml @@ -0,0 +1,110 @@ +- name: id + description: TYCHON unique document identifier. + type: keyword +- name: elastic_agent + type: group + fields: + - name: id + description: Elastic Agent Id. + type: keyword + - name: snapshot + description: Elastic Agent snapshot. + type: boolean + - name: version + description: Elastic Agent Version. + type: keyword +- name: script + type: group + fields: + - name: current_duration + description: Scanner Script Duration. + type: float + - name: current_time + description: Current datetime. + type: date + - name: name + description: Scanner Script Name. + type: keyword + - name: start + description: Scanner Start datetime. + type: date + - name: type + description: Scanner Script Type. + type: keyword + - name: version + description: Scanner Script Version. + type: keyword +- name: tychon + type: group + fields: + - name: id + description: TYCHON unique host identifier. + type: keyword +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: biossn + description: Host BIOS Serial Number. + type: keyword + - name: ipv4 + description: Host IPv4 addresses. + type: ip + - name: ipv6 + description: Host IPv6 addresses. + type: keyword + - name: workgroup + description: Host Workgroup Network Name. + type: keyword + - name: oem + type: group + fields: + - name: manufacturer + description: Host OEM Manufacturer. + type: keyword + - name: model + description: Host OEM Model. + type: keyword + - name: os + type: group + fields: + - name: build + description: Host OS Build. + type: keyword + - name: description + description: Host OS Description. + type: keyword + - name: organization + description: Host OS Organization. + type: keyword + - name: hardware + type: group + fields: + - name: bios + type: group + fields: + - name: name + description: Host BIOS Name. + type: keyword + - name: version + description: Host BIOS Version. + type: keyword + - name: cpu + type: group + fields: + - name: caption + description: Host CPU Caption. + type: keyword + - name: manufacturer + description: Host BIOS Manufacturer. + type: keyword + - name: owner + description: Host BIOS Owner. + type: keyword + - name: serial_number + description: Host BIOS Serial Number. + type: keyword diff --git a/packages/tychon/elasticsearch/transform/volume/fields/base-fields.yml b/packages/tychon/elasticsearch/transform/volume/fields/base-fields.yml new file mode 100644 index 00000000000..b1abf837fb0 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/fields/base-fields.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Source file type. + type: keyword +- name: log.offset + description: Source file current offset. + type: long diff --git a/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml new file mode 100644 index 00000000000..2f2e3e60d99 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: '@timestamp' +- external: ecs + name: agent.ephemeral_id +- external: ecs + name: agent.id +- external: ecs + name: agent.name +- external: ecs + name: agent.type +- external: ecs + name: agent.version +- external: ecs + name: data_stream.dataset +- external: ecs + name: data_stream.namespace +- external: ecs + name: data_stream.type +- external: ecs + name: ecs.version +- name: error.message + type: match_only_text +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.dataset +- name: event.ingested + type: date +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.timezone +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.type +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: host.uptime +- external: ecs + name: log.file.path +- external: ecs + name: tags diff --git a/packages/tychon/elasticsearch/transform/volume/fields/fields.yml b/packages/tychon/elasticsearch/transform/volume/fields/fields.yml new file mode 100644 index 00000000000..510274e1fba --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/fields/fields.yml @@ -0,0 +1,34 @@ +- name: volume.automount + type: boolean +- name: volume.block_size + type: long +- name: volume.dirty_bit_set + type: boolean +- name: volume.dos_device_path + type: text +- name: volume.drive.letter + type: keyword +- name: volume.drive.type + type: keyword +- name: volume.file_system + type: keyword +- name: volume.freespace + type: long +- name: volume.id + type: keyword +- name: volume.name + type: keyword +- name: volume.page_file_present + type: boolean +- name: volume.percent_full + type: float +- name: volume.power_management_supported + type: boolean +- name: volume.purpose + type: keyword +- name: volume.serial_number + type: keyword +- name: volume.size + type: long +- name: volume.system_volume + type: boolean diff --git a/packages/tychon/elasticsearch/transform/volume/manifest.yml b/packages/tychon/elasticsearch/transform/volume/manifest.yml new file mode 100644 index 00000000000..d2b4a81ca3c --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/manifest.yml @@ -0,0 +1,12 @@ +start: true +destination_index_template: + mappings: + dynamic: true + _meta: {} + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: true diff --git a/packages/tychon/elasticsearch/transform/volume/transform.yml b/packages/tychon/elasticsearch/transform/volume/transform.yml new file mode 100644 index 00000000000..bb49ae41b36 --- /dev/null +++ b/packages/tychon/elasticsearch/transform/volume/transform.yml @@ -0,0 +1,24 @@ +source: + index: + - logs-tychon.tychon_volume-* + query: + bool: + must: + - match_phrase: + event.kind: "state" +dest: + index: tychon_volume +frequency: 30m +sync: + time: + field: 'event.ingested' + delay: 60s +latest: + unique_key: + - id + sort: '@timestamp' +_meta: + fleet_transform_version: 1.0.4 + run_as_kibana_system: false + managed: true +description: This transformation ensures there is a running configuration of what volumes are currently on a device from TYCHON. diff --git a/packages/tychon/img/TYCHONScreenShot_1.png b/packages/tychon/img/TYCHONScreenShot_1.png new file mode 100644 index 00000000000..cdd181eb9c2 Binary files /dev/null and b/packages/tychon/img/TYCHONScreenShot_1.png differ diff --git a/packages/tychon/img/TYCHONScreenShot_2.png b/packages/tychon/img/TYCHONScreenShot_2.png new file mode 100644 index 00000000000..dcf2f73ae6d Binary files /dev/null and b/packages/tychon/img/TYCHONScreenShot_2.png differ diff --git a/packages/tychon/img/TychonLogo.svg b/packages/tychon/img/TychonLogo.svg new file mode 100644 index 00000000000..47b482d3444 --- /dev/null +++ b/packages/tychon/img/TychonLogo.svg @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/tychon/img/TychonScreenshot.png b/packages/tychon/img/TychonScreenshot.png new file mode 100644 index 00000000000..9207bbeac58 Binary files /dev/null and b/packages/tychon/img/TychonScreenshot.png differ diff --git a/packages/tychon/img/tychon-color.png b/packages/tychon/img/tychon-color.png new file mode 100644 index 00000000000..0e2c6d9f1d5 Binary files /dev/null and b/packages/tychon/img/tychon-color.png differ diff --git a/packages/tychon/kibana/dashboard/tychon-078edb40-d137-11e9-a2af-693b633cf871-stig.json b/packages/tychon/kibana/dashboard/tychon-078edb40-d137-11e9-a2af-693b633cf871-stig.json new file mode 100644 index 00000000000..116d2cee793 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-078edb40-d137-11e9-a2af-693b633cf871-stig.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"49a66ed0-406a-4bd8-b21b-965eb1f497f9\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"49a66ed0-406a-4bd8-b21b-965eb1f497f9\",\"fieldName\":\"benchmark.name\",\"title\":\"Benchmark\",\"singleSelect\":false,\"enhancements\":{}}},\"dbbeb350-d58e-4ea2-8079-2b9d4478974f\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"small\",\"explicitInput\":{\"id\":\"dbbeb350-d58e-4ea2-8079-2b9d4478974f\",\"fieldName\":\"rule.stig_id\",\"title\":\"STIG ID\",\"enhancements\":{}}},\"44a753fb-4299-48af-b65f-ebb50e7a8c3b\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":false,\"width\":\"small\",\"explicitInput\":{\"id\":\"44a753fb-4299-48af-b65f-ebb50e7a8c3b\",\"fieldName\":\"rule.finding_id\",\"title\":\"Finding ID\",\"singleSelect\":false,\"enhancements\":{}}},\"ac743466-b33c-422d-a482-e9a04f6351ca\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ac743466-b33c-422d-a482-e9a04f6351ca\",\"fieldName\":\"rule.oval.id\",\"title\":\"OVAL ID\",\"enhancements\":{}}}}" + }, + "description": "Analyze the status of your current STIG scans run against your endpoints.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":4,\"i\":\"c9a6aaf7-7ebd-43d6-ae37-eb8664d5c0c5\"},\"panelIndex\":\"c9a6aaf7-7ebd-43d6-ae37-eb8664d5c0c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"6fff9691-3ddd-4388-8285-de60ad5d992f\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":0,\"rangeMax\":100,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":33.33},{\"color\":\"#d6bf57\",\"stop\":66.66},{\"color\":\"#cc5642\",\"stop\":100}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"maxAccessor\":\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\",\"showBar\":true,\"progressDirection\":\"horizontal\",\"subtitle\":\"Failed tests to all tests.\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6fff9691-3ddd-4388-8285-de60ad5d992f\":{\"columns\":{\"71671d69-d31c-4a61-9ee3-68bacec8d16f\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result: \\\"fail\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"rule.result: \\\"fail\\\" or rule.result: \\\"pass\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":0,\"w\":8,\"h\":6,\"i\":\"2b7c414a-b5fb-4a90-9231-26aaa796e7bf\"},\"panelIndex\":\"2b7c414a-b5fb-4a90-9231-26aaa796e7bf\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-dd63da37-c38e-481c-8749-8d1939e14d4f\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"dd63da37-c38e-481c-8749-8d1939e14d4f\",\"accessor\":\"600ef522-0a03-40d3-8833-3090b2b3fe47\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd63da37-c38e-481c-8749-8d1939e14d4f\":{\"columns\":{\"600ef522-0a03-40d3-8833-3090b2b3fe47\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"600ef522-0a03-40d3-8833-3090b2b3fe47\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":0,\"w\":9,\"h\":6,\"i\":\"6cb8b7bb-6752-4d80-b398-16c5b02eb0b6\"},\"panelIndex\":\"6cb8b7bb-6752-4d80-b398-16c5b02eb0b6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-bbddf942-4f39-4965-9729-159c62ef2d15\"}],\"state\":{\"visualization\":{\"layerId\":\"bbddf942-4f39-4965-9729-159c62ef2d15\",\"accessor\":\"c8b77c55-379a-4ac9-baae-bb94adc9f85d\",\"layerType\":\"data\",\"size\":\"xl\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bbddf942-4f39-4965-9729-159c62ef2d15\":{\"columns\":{\"c8b77c55-379a-4ac9-baae-bb94adc9f85d\":{\"label\":\"Total Rules\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c8b77c55-379a-4ac9-baae-bb94adc9f85d\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":0,\"w\":4,\"h\":11,\"i\":\"655f71a3-4dd4-4429-9163-46300ac07597\"},\"panelIndex\":\"655f71a3-4dd4-4429-9163-46300ac07597\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"| CCRI Score | Description |\\n| :------------ | :------------ |\\n| 20-100% | Critical Concern |\\n| 10-20% | Moderate Concern |\\n| 0-10% | Minor Concern |\\n| 0% | No Concern |\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":0,\"w\":14,\"h\":20,\"i\":\"149977b6-c38d-4715-974d-641c1fc8e57b\"},\"panelIndex\":\"149977b6-c38d-4715-974d-641c1fc8e57b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-5e88cf37-b3d3-4794-acb6-5e30cdcfd93e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"5e88cf37-b3d3-4794-acb6-5e30cdcfd93e\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"3af96ad3-0927-4d98-926f-ff4a49627148\",\"oneClickFilter\":true},{\"columnId\":\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8\",\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}},\"hidden\":false,\"summaryRow\":\"avg\"}]},\"query\":{\"query\":\"rule.result.score :*\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5e88cf37-b3d3-4794-acb6-5e30cdcfd93e\":{\"columns\":{\"3af96ad3-0927-4d98-926f-ff4a49627148\":{\"label\":\"Benchmark\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"benchmarkname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X0\":{\"label\":\"Part of Score %\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X1\":{\"label\":\"Part of Score %\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X2\":{\"label\":\"Part of Score %\",\"dataType\":\"number\",\"operationType\":\"overall_sum\",\"isBucketed\":false,\"scale\":\"ratio\",\"references\":[\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X1\"],\"customLabel\":true},\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X3\":{\"label\":\"Part of Score %\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X0\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X2\"],\"location\":{\"min\":0,\"max\":62},\"text\":\"(sum(rule.result.score) / overall_sum(sum(rule.result.score)))\"}},\"references\":[\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X0\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X2\"],\"customLabel\":true},\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8\":{\"label\":\"Score %\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(sum(rule.result.score) / overall_sum(sum(rule.result.score)))\",\"isFormulaBroken\":false,\"format\":{\"id\":\"percent\",\"params\":{\"decimals\":0}}},\"references\":[\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X3\"],\"customLabel\":true}},\"columnOrder\":[\"3af96ad3-0927-4d98-926f-ff4a49627148\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X0\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X1\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X2\",\"4136d2b6-93b1-42bb-ad71-6a19e3cc12b8X3\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":4,\"w\":13,\"h\":4,\"i\":\"cec1fd74-b355-4dde-a4d0-a249bbe4f600\"},\"panelIndex\":\"cec1fd74-b355-4dde-a4d0-a249bbe4f600\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"6fff9691-3ddd-4388-8285-de60ad5d992f\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#E7664C\",\"stop\":33.33},{\"color\":\"#DA8B45\",\"stop\":66.66},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#E7664C\",\"stop\":null},{\"color\":\"#DA8B45\",\"stop\":33.33},{\"color\":\"#6092C0\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"maxAccessor\":\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\",\"showBar\":true,\"progressDirection\":\"horizontal\",\"subtitle\":\"Passed tests to all tests.\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6fff9691-3ddd-4388-8285-de60ad5d992f\":{\"columns\":{\"71671d69-d31c-4a61-9ee3-68bacec8d16f\":{\"label\":\"Total Passes\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result: \\\"pass\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"rule.result: \\\"fail\\\" or rule.result: \\\"pass\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":6,\"w\":8,\"h\":10,\"i\":\"28e2a613-0d7f-4476-aed1-7175f2a18f28\"},\"panelIndex\":\"28e2a613-0d7f-4476-aed1-7175f2a18f28\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-7ab9f589-0859-4a2d-a405-8041d7078f67\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"7ab9f589-0859-4a2d-a405-8041d7078f67\",\"primaryGroups\":[\"2e5e2a7f-5d61-4b93-b105-11d149d39607\"],\"secondaryGroups\":[],\"metrics\":[\"45feac65-b609-44f9-832f-b6d72365b5d8\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"allowMultipleMetrics\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7ab9f589-0859-4a2d-a405-8041d7078f67\":{\"columns\":{\"2e5e2a7f-5d61-4b93-b105-11d149d39607\":{\"label\":\"OS Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"45feac65-b609-44f9-832f-b6d72365b5d8\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"45feac65-b609-44f9-832f-b6d72365b5d8\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2e5e2a7f-5d61-4b93-b105-11d149d39607\",\"45feac65-b609-44f9-832f-b6d72365b5d8\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Operating System\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":6,\"w\":9,\"h\":10,\"i\":\"13f2d060-9d0e-4fba-9ab5-d2f3baeb0250\"},\"panelIndex\":\"13f2d060-9d0e-4fba-9ab5-d2f3baeb0250\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-8d93f7aa-9914-492a-a515-42761f7602a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"8d93f7aa-9914-492a-a515-42761f7602a6\",\"primaryGroups\":[\"9fb8d8eb-a066-4a91-8fdc-2fb8a632698d\"],\"metrics\":[\"9185484c-03ef-4d02-8714-d3226d0fc7a2\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"collapseFns\":{\"5d8b4201-d4ea-4da3-a2a8-a70c399b406e\":\"\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"8d93f7aa-9914-492a-a515-42761f7602a6\":{\"columns\":{\"9185484c-03ef-4d02-8714-d3226d0fc7a2\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"9fb8d8eb-a066-4a91-8fdc-2fb8a632698d\":{\"label\":\"Top 3 values of host.os.kernel\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.kernel\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9185484c-03ef-4d02-8714-d3226d0fc7a2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"9fb8d8eb-a066-4a91-8fdc-2fb8a632698d\",\"9185484c-03ef-4d02-8714-d3226d0fc7a2\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Kernels\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":13,\"h\":8,\"i\":\"87fa7e60-7def-4b15-a49b-1f651cfee463\"},\"panelIndex\":\"87fa7e60-7def-4b15-a49b-1f651cfee463\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2\",\"isTransposed\":false},{\"columnId\":\"31cd5bd5-bf05-4039-a241-c75a16ad9165\",\"isTransposed\":false,\"summaryRow\":\"sum\",\"summaryLabel\":\"Total\"},{\"columnId\":\"87f792ec-41cb-4052-ae3c-8e39032305c0\",\"isTransposed\":false,\"summaryRow\":\"sum\",\"summaryLabel\":\"Total\"}],\"layerId\":\"93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9\":{\"columns\":{\"ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2\":{\"label\":\"Severity\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.severity :\\\"high\\\" \",\"language\":\"kuery\"},\"label\":\"CAT I\"},{\"input\":{\"query\":\"rule.severity : \\\"medium\\\" \",\"language\":\"kuery\"},\"label\":\"CAT II\"},{\"input\":{\"query\":\"rule.severity : \\\"low\\\" \",\"language\":\"kuery\"},\"label\":\"CAT III\"}]},\"customLabel\":true},\"31cd5bd5-bf05-4039-a241-c75a16ad9165\":{\"label\":\"Total Fails\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"87f792ec-41cb-4052-ae3c-8e39032305c0\":{\"label\":\"Total Pass\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result : \\\"pass\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2\",\"31cd5bd5-bf05-4039-a241-c75a16ad9165\",\"87f792ec-41cb-4052-ae3c-8e39032305c0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"Passes and Fails broken down by the rule severity level.\",\"enhancements\":{}},\"title\":\"Severity Breakdown\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":30,\"y\":11,\"w\":4,\"h\":20,\"i\":\"ca6d3287-d16e-4e2f-9216-6140f4f2b4c1\"},\"panelIndex\":\"ca6d3287-d16e-4e2f-9216-6140f4f2b4c1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-771df181-6280-4ee3-b215-d26003efa966\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"verticalBullet\",\"layerId\":\"771df181-6280-4ee3-b215-d26003efa966\",\"layerType\":\"data\",\"ticksPosition\":\"bands\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"33881eb3-ce77-4a4f-b41f-e74e4b17ff86\",\"maxAccessor\":\"e31a8da1-6c99-4e57-a6f6-510b5d44e88b\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#AFB8C680\",\"stop\":33.33},{\"color\":\"#DA8B45\",\"stop\":66.66},{\"color\":\"#E7664C\",\"stop\":100}],\"colorStops\":[{\"color\":\"#AFB8C680\",\"stop\":null},{\"color\":\"#DA8B45\",\"stop\":33.33},{\"color\":\"#E7664C\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"colorMode\":\"palette\",\"minAccessor\":\"ccf28f2a-27d2-4cc2-a4c0-f9d06ea672dc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"771df181-6280-4ee3-b215-d26003efa966\":{\"columns\":{\"33881eb3-ce77-4a4f-b41f-e74e4b17ff86\":{\"label\":\"Failure Score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"rule.result: \\\"fail\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"e31a8da1-6c99-4e57-a6f6-510b5d44e88b\":{\"label\":\"Sum of rule.weight\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.weight\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"rule.result : \\\"fail\\\" or rule.result : \\\"pass\\\"\",\"language\":\"kuery\"}},\"ccf28f2a-27d2-4cc2-a4c0-f9d06ea672dc\":{\"label\":\"Static value: 0\",\"dataType\":\"number\",\"operationType\":\"static_value\",\"isStaticValue\":true,\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"value\":\"0\"},\"references\":[]}},\"columnOrder\":[\"33881eb3-ce77-4a4f-b41f-e74e4b17ff86\",\"e31a8da1-6c99-4e57-a6f6-510b5d44e88b\",\"ccf28f2a-27d2-4cc2-a4c0-f9d06ea672dc\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":16,\"w\":30,\"h\":15,\"i\":\"3d731c15-8a40-45e3-bb29-f6aed782e586\"},\"panelIndex\":\"3d731c15-8a40-45e3-bb29-f6aed782e586\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-cbc12900-bf4a-46dd-b2a6-bd0477c82967\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"30c31964-540e-4717-bd75-e40ea661192e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"ff66c536-1d5f-4bb4-8890-ec64e448627a\",\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"eca93477-2464-4ff3-bc2a-63468a90b200\",\"isTransposed\":false,\"alignment\":\"center\",\"oneClickFilter\":true},{\"columnId\":\"8bdbac72-279d-4c9a-a1b8-0bd49791e78d\",\"isTransposed\":false,\"oneClickFilter\":false,\"alignment\":\"center\"},{\"columnId\":\"d84fce0c-6ffe-47fe-a85c-6286ca255f7f\",\"isTransposed\":true}],\"layerId\":\"cbc12900-bf4a-46dd-b2a6-bd0477c82967\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"cbc12900-bf4a-46dd-b2a6-bd0477c82967\":{\"columns\":{\"30c31964-540e-4717-bd75-e40ea661192e\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"custom\"},\"orderAgg\":{\"label\":\"Sum of rule.result.score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ff66c536-1d5f-4bb4-8890-ec64e448627a\":{\"label\":\"Overall Score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"eca93477-2464-4ff3-bc2a-63468a90b200\":{\"label\":\"IP Address\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8bdbac72-279d-4c9a-a1b8-0bd49791e78d\":{\"label\":\"Domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"d84fce0c-6ffe-47fe-a85c-6286ca255f7f\":{\"label\":\"Benchmark Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"benchmark.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ff66c536-1d5f-4bb4-8890-ec64e448627a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"d84fce0c-6ffe-47fe-a85c-6286ca255f7f\",\"30c31964-540e-4717-bd75-e40ea661192e\",\"eca93477-2464-4ff3-bc2a-63468a90b200\",\"8bdbac72-279d-4c9a-a1b8-0bd49791e78d\",\"ff66c536-1d5f-4bb4-8890-ec64e448627a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"3c0dfe4d-c571-4127-ba6c-7362042cf2e2\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Benchmark Results for this Endpoint\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"description\":\"By host breakdown of failing STIG checks and the sum of their score.\"},\"title\":\"Top 100 Vulnerable Hosts\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":20,\"w\":14,\"h\":11,\"i\":\"5bf2f4f8-4744-4f94-b99d-69b88ff226d1\"},\"panelIndex\":\"5bf2f4f8-4744-4f94-b99d-69b88ff226d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-0e956b5d-4b99-4efc-98a3-8b5ad23c4cab\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0e956b5d-4b99-4efc-98a3-8b5ad23c4cab\",\"accessors\":[\"b876dcfc-0fd2-4fcb-9602-65c9ea2c85fe\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"cb589ffa-895e-453a-ad68-df02d014d992\"}]},\"query\":{\"query\":\"event.code: 8107\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0e956b5d-4b99-4efc-98a3-8b5ad23c4cab\":{\"columns\":{\"cb589ffa-895e-453a-ad68-df02d014d992\":{\"label\":\"event.created\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.created\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"h\",\"includeEmptyRows\":true,\"dropPartials\":false,\"ignoreTimeRange\":true}},\"b876dcfc-0fd2-4fcb-9602-65c9ea2c85fe\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"cb589ffa-895e-453a-ad68-df02d014d992\",\"b876dcfc-0fd2-4fcb-9602-65c9ea2c85fe\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This is the event trigger of Benchmark scans completed on endpoints. This is not based on results but on the event log flagging that a scan was completed. \"},\"title\":\"Benchmark Scan Rates\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":31,\"w\":11,\"h\":25,\"i\":\"100e003c-689d-4ccb-a36e-3a61c8aa1f37\"},\"panelIndex\":\"100e003c-689d-4ccb-a36e-3a61c8aa1f37\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-531949cb-8d36-4358-b503-c470db2357b8\"},{\"type\":\"index-pattern\",\"name\":\"68fe6bfd-8554-40ce-9803-f0fa1fa5f047\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\"}],\"state\":{\"visualization\":{\"layerId\":\"531949cb-8d36-4358-b503-c470db2357b8\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"694097f4-e845-4f15-a42b-3fd4b5731141\"},{\"isTransposed\":false,\"columnId\":\"24eae38e-8e7e-40fd-aa3a-19cd55219b6c\"},{\"isTransposed\":false,\"columnId\":\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"},{\"columnId\":\"20ad1142-7e78-47f7-8889-6069ad3f7a46\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"2a90ac34-3274-49b2-bac3-2dac93b5e0a6\",\"isTransposed\":false,\"alignment\":\"center\"}],\"paging\":{\"enabled\":true,\"size\":30}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"68fe6bfd-8554-40ce-9803-f0fa1fa5f047\",\"negate\":true,\"type\":\"phrase\",\"key\":\"STIG_ID\",\"params\":{\"query\":\"\"},\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"STIG_ID\":\"\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"531949cb-8d36-4358-b503-c470db2357b8\":{\"columns\":{\"694097f4-e845-4f15-a42b-3fd4b5731141\":{\"label\":\"Vuln ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"VULN_ID\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"24eae38e-8e7e-40fd-aa3a-19cd55219b6c\":{\"label\":\"STIG ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.stig_id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"20ad1142-7e78-47f7-8889-6069ad3f7a46\":{\"label\":\"Result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.result\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2a90ac34-3274-49b2-bac3-2dac93b5e0a6\":{\"label\":\"Finding ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.finding_id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"694097f4-e845-4f15-a42b-3fd4b5731141\",\"24eae38e-8e7e-40fd-aa3a-19cd55219b6c\",\"2a90ac34-3274-49b2-bac3-2dac93b5e0a6\",\"20ad1142-7e78-47f7-8889-6069ad3f7a46\",\"e2c1831b-bcc2-49b1-b286-a80e84bfebe1\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Rule Results\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":31,\"w\":37,\"h\":11,\"i\":\"e9b5a9c0-5358-43e6-bcf3-ca3dbfe6ee60\"},\"panelIndex\":\"e9b5a9c0-5358-43e6-bcf3-ca3dbfe6ee60\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"7d972a32-d117-4963-a7bf-58fc65fb1ee8\",\"name\":\"indexpattern-datasource-layer-324940c5-7336-4d83-afd8-f132999ad21d\",\"type\":\"index-pattern\"},{\"id\":\"7d972a32-d117-4963-a7bf-58fc65fb1ee8\",\"name\":\"de7d5fcd-69c9-489a-ad14-e43451dc3eaa\",\"type\":\"index-pattern\"},{\"id\":\"7d972a32-d117-4963-a7bf-58fc65fb1ee8\",\"name\":\"82886999-a1d2-44ca-9355-6473b13151a2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"area\",\"layers\":[{\"layerId\":\"324940c5-7336-4d83-afd8-f132999ad21d\",\"accessors\":[\"c7ed6ef5-293c-4841-8d4b-44ba3a962b27\"],\"position\":\"top\",\"seriesType\":\"area\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4c922613-246c-4854-8a29-4a64075d585e\",\"splitAccessor\":\"9fe8831b-a25f-4432-874b-af29a49486d1\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"de7d5fcd-69c9-489a-ad14-e43451dc3eaa\",\"negate\":true,\"type\":\"phrase\",\"key\":\"rule.result\",\"params\":{\"query\":\"not applicable\"},\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"rule.result\":\"not applicable\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"82886999-a1d2-44ca-9355-6473b13151a2\",\"negate\":true,\"type\":\"phrase\",\"key\":\"rule.result\",\"params\":{\"query\":\"unknown\"},\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"rule.result\":\"unknown\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"324940c5-7336-4d83-afd8-f132999ad21d\":{\"columns\":{\"4c922613-246c-4854-8a29-4a64075d585e\":{\"label\":\"event.ingested\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.ingested\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c7ed6ef5-293c-4841-8d4b-44ba3a962b27\":{\"label\":\"STIG Counts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9fe8831b-a25f-4432-874b-af29a49486d1\":{\"label\":\"Top 4 values of rule.result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.result\",\"isBucketed\":true,\"params\":{\"size\":4,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c7ed6ef5-293c-4841-8d4b-44ba3a962b27\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"9fe8831b-a25f-4432-874b-af29a49486d1\",\"4c922613-246c-4854-8a29-4a64075d585e\",\"c7ed6ef5-293c-4841-8d4b-44ba3a962b27\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"TYCHON continuously reports the status of STIG results, this is the history of those results.\",\"enhancements\":{}},\"title\":\"STIG Scan Results History \"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":42,\"w\":37,\"h\":14,\"i\":\"0259e2ee-6cce-430e-8e87-d57537a418f0\"},\"panelIndex\":\"0259e2ee-6cce-430e-8e87-d57537a418f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-159bfab9-7c23-4970-a3b5-5fbfe799e5f4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"treemap\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"layers\":[{\"layerId\":\"159bfab9-7c23-4970-a3b5-5fbfe799e5f4\",\"primaryGroups\":[\"55733772-e80d-4270-b1ec-3cb02c639a4a\"],\"secondaryGroups\":[],\"metrics\":[\"3f83400f-c042-46f1-acaa-22fc25d8fdbd\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"collapseFns\":{\"55733772-e80d-4270-b1ec-3cb02c639a4a\":\"\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"159bfab9-7c23-4970-a3b5-5fbfe799e5f4\":{\"columns\":{\"55733772-e80d-4270-b1ec-3cb02c639a4a\":{\"label\":\"Top 1000 values of rule.oval.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.oval.id\",\"isBucketed\":true,\"params\":{\"size\":1000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f83400f-c042-46f1-acaa-22fc25d8fdbd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"3f83400f-c042-46f1-acaa-22fc25d8fdbd\":{\"label\":\"Sum of rule.result.score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"rule.result.score\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"55733772-e80d-4270-b1ec-3cb02c639a4a\",\"3f83400f-c042-46f1-acaa-22fc25d8fdbd\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Rule Result Map\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] STIG Report Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-31T11:43:43.382Z", + "id": "tychon-078edb40-d137-11e9-a2af-693b633cf871-stig", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "managed": true, + "references": [ + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "c9a6aaf7-7ebd-43d6-ae37-eb8664d5c0c5:indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "2b7c414a-b5fb-4a90-9231-26aaa796e7bf:indexpattern-datasource-layer-dd63da37-c38e-481c-8749-8d1939e14d4f", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "6cb8b7bb-6752-4d80-b398-16c5b02eb0b6:indexpattern-datasource-layer-bbddf942-4f39-4965-9729-159c62ef2d15", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "149977b6-c38d-4715-974d-641c1fc8e57b:indexpattern-datasource-layer-5e88cf37-b3d3-4794-acb6-5e30cdcfd93e", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "cec1fd74-b355-4dde-a4d0-a249bbe4f600:indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "28e2a613-0d7f-4476-aed1-7175f2a18f28:indexpattern-datasource-layer-7ab9f589-0859-4a2d-a405-8041d7078f67", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "13f2d060-9d0e-4fba-9ab5-d2f3baeb0250:indexpattern-datasource-layer-8d93f7aa-9914-492a-a515-42761f7602a6", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "87fa7e60-7def-4b15-a49b-1f651cfee463:indexpattern-datasource-layer-93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "ca6d3287-d16e-4e2f-9216-6140f4f2b4c1:indexpattern-datasource-layer-771df181-6280-4ee3-b215-d26003efa966", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "3d731c15-8a40-45e3-bb29-f6aed782e586:indexpattern-datasource-layer-cbc12900-bf4a-46dd-b2a6-bd0477c82967", + "type": "index-pattern" + }, + { + "id": "tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig", + "name": "3d731c15-8a40-45e3-bb29-f6aed782e586:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:3c0dfe4d-c571-4127-ba6c-7362042cf2e2:dashboardId", + "type": "dashboard" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "5bf2f4f8-4744-4f94-b99d-69b88ff226d1:indexpattern-datasource-layer-0e956b5d-4b99-4efc-98a3-8b5ad23c4cab", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "100e003c-689d-4ccb-a36e-3a61c8aa1f37:indexpattern-datasource-layer-531949cb-8d36-4358-b503-c470db2357b8", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "100e003c-689d-4ccb-a36e-3a61c8aa1f37:68fe6bfd-8554-40ce-9803-f0fa1fa5f047", + "type": "index-pattern" + }, + { + "id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "name": "e9b5a9c0-5358-43e6-bcf3-ca3dbfe6ee60:indexpattern-datasource-layer-324940c5-7336-4d83-afd8-f132999ad21d", + "type": "index-pattern" + }, + { + "id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "name": "e9b5a9c0-5358-43e6-bcf3-ca3dbfe6ee60:de7d5fcd-69c9-489a-ad14-e43451dc3eaa", + "type": "index-pattern" + }, + { + "id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "name": "e9b5a9c0-5358-43e6-bcf3-ca3dbfe6ee60:82886999-a1d2-44ca-9355-6473b13151a2", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "0259e2ee-6cce-430e-8e87-d57537a418f0:indexpattern-datasource-layer-159bfab9-7c23-4970-a3b5-5fbfe799e5f4", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "controlGroup_49a66ed0-406a-4bd8-b21b-965eb1f497f9:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "controlGroup_dbbeb350-d58e-4ea2-8079-2b9d4478974f:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "controlGroup_44a753fb-4299-48af-b65f-ebb50e7a8c3b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "controlGroup_ac743466-b33c-422d-a482-e9a04f6351ca:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-tychon-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-579051b0-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-tychon-579051b0-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-tychon-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-08-31T11:43:43.382Z", + "version": "WzM0MDEsNF0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice.json b/packages/tychon/kibana/dashboard/tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice.json new file mode 100644 index 00000000000..648f4ef5f5d --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"b1548c53-ca3d-47b3-bc05-664ddc1e045a\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"b1548c53-ca3d-47b3-bc05-664ddc1e045a\",\"enhancements\":{},\"selectedOptions\":[]}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Services and Ports view displays all Services found on hosts, as well as listening ports and ARP Tables.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"7ce4caed-f1dc-4d52-934f-bf01a1c79c50\"},\"panelIndex\":\"7ce4caed-f1dc-4d52-934f-bf01a1c79c50\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_7ce4caed-f1dc-4d52-934f-bf01a1c79c50\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":16,\"h\":5,\"i\":\"79df6d59-56ab-4ee3-addd-87cd507061e9\"},\"panelIndex\":\"79df6d59-56ab-4ee3-addd-87cd507061e9\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Services and Ports\\nTYCHON reports what ports are open at the time of the check. It records what process and command was used to open the port and correlates that process if it was started as a service.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":3,\"w\":32,\"h\":51,\"i\":\"90112a9f-2161-4263-bc42-8af46aeb05e4\"},\"panelIndex\":\"90112a9f-2161-4263-bc42-8af46aeb05e4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-9a26db3f-b1d3-4fb3-8b88-91eec3c3bac6\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"f0f0e83f-7af8-46e0-8e52-bfb7c6a96968\",\"width\":259.0666666666667},{\"isTransposed\":false,\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\",\"hidden\":true},{\"columnId\":\"66204765-468d-419c-9ea9-d073900e559f\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":110.39999999999998},{\"columnId\":\"6ec1bb1d-7e6e-4b12-ab95-bcec881d02fc\",\"isTransposed\":false},{\"columnId\":\"bfbad6ce-a8e2-4f07-96e3-f2e0ee3de92d\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":169.39999999999998},{\"columnId\":\"8d7e5159-9321-4909-b291-9d44a246e217\",\"isTransposed\":false,\"width\":413.5666666666666},{\"columnId\":\"70ec6dba-dbad-4f8c-81a9-b7f5c094e641\",\"isTransposed\":false},{\"columnId\":\"baacc6bf-fc31-430c-b112-2ba01c97aa21\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"7bcc4134-d33c-44a4-aa9f-cc143f006e31\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"1738b58d-80b9-4562-98ef-316a0319e8d1\",\"isTransposed\":false}],\"layerId\":\"9a26db3f-b1d3-4fb3-8b88-91eec3c3bac6\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9a26db3f-b1d3-4fb3-8b88-91eec3c3bac6\":{\"columns\":{\"f0f0e83f-7af8-46e0-8e52-bfb7c6a96968\":{\"label\":\"Service Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"service.name\",\"isBucketed\":true,\"params\":{\"size\":150,\"orderBy\":{\"type\":\"column\",\"columnId\":\"7bcc4134-d33c-44a4-aa9f-cc143f006e31\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"66204765-468d-419c-9ea9-d073900e559f\":{\"label\":\"Protocol\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.transport\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6ec1bb1d-7e6e-4b12-ab95-bcec881d02fc\":{\"label\":\"Command Line Used\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"bfbad6ce-a8e2-4f07-96e3-f2e0ee3de92d\":{\"label\":\"Port Number\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.port\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8d7e5159-9321-4909-b291-9d44a246e217\":{\"label\":\"User\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.user.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"70ec6dba-dbad-4f8c-81a9-b7f5c094e641\":{\"label\":\"Service Description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"service.description\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"baacc6bf-fc31-430c-b112-2ba01c97aa21\":{\"label\":\"Last State\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"service.state\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7bcc4134-d33c-44a4-aa9f-cc143f006e31\":{\"label\":\"Last Seen\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"@timestamp\",\"filter\":{\"query\":\"@timestamp: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"1738b58d-80b9-4562-98ef-316a0319e8d1\":{\"label\":\"Process Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"7bcc4134-d33c-44a4-aa9f-cc143f006e31\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1738b58d-80b9-4562-98ef-316a0319e8d1\",\"f0f0e83f-7af8-46e0-8e52-bfb7c6a96968\",\"70ec6dba-dbad-4f8c-81a9-b7f5c094e641\",\"bfbad6ce-a8e2-4f07-96e3-f2e0ee3de92d\",\"66204765-468d-419c-9ea9-d073900e559f\",\"6ec1bb1d-7e6e-4b12-ab95-bcec881d02fc\",\"8d7e5159-9321-4909-b291-9d44a246e217\",\"baacc6bf-fc31-430c-b112-2ba01c97aa21\",\"8816caf5-40ad-44a7-8196-f8d2c3ca0edf\",\"7bcc4134-d33c-44a4-aa9f-cc143f006e31\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Listening Ports\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":8,\"i\":\"d43241be-bffb-4076-9153-27424a7c9154\"},\"panelIndex\":\"d43241be-bffb-4076-9153-27424a7c9154\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77\"}],\"state\":{\"visualization\":{\"layerId\":\"dd4e1981-717a-4e31-a959-c13317ad6f77\",\"accessor\":\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd4e1981-717a-4e31-a959-c13317ad6f77\":{\"columns\":{\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\":{\"label\":\"Total Unique Listening Ports\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.port\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":8,\"i\":\"39d605bd-cd52-4e81-90fc-15dde8a50450\"},\"panelIndex\":\"39d605bd-cd52-4e81-90fc-15dde8a50450\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-4bcc97dc-80c1-4c57-9a0c-aacd0a6a6be1\"}],\"state\":{\"visualization\":{\"layerId\":\"4bcc97dc-80c1-4c57-9a0c-aacd0a6a6be1\",\"accessor\":\"216dce16-7856-405d-8c0d-92246e7c3511\",\"layerType\":\"data\",\"size\":\"l\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4bcc97dc-80c1-4c57-9a0c-aacd0a6a6be1\":{\"columns\":{\"216dce16-7856-405d-8c0d-92246e7c3511\":{\"label\":\"Total Unique Processes Hosting Ports\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"process.hash.sha1\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"216dce16-7856-405d-8c0d-92246e7c3511\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":16,\"w\":8,\"h\":8,\"i\":\"fd1293f8-ebe9-460f-81ab-a4ada0b42050\"},\"panelIndex\":\"fd1293f8-ebe9-460f-81ab-a4ada0b42050\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77\"}],\"state\":{\"visualization\":{\"layerId\":\"dd4e1981-717a-4e31-a959-c13317ad6f77\",\"accessor\":\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd4e1981-717a-4e31-a959-c13317ad6f77\":{\"columns\":{\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\":{\"label\":\"Total Unique Users Hosting Ports\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"process.user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":16,\"w\":8,\"h\":8,\"i\":\"9c36f7cb-cd04-43e3-80c7-8ec29e797343\"},\"panelIndex\":\"9c36f7cb-cd04-43e3-80c7-8ec29e797343\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77\"}],\"state\":{\"visualization\":{\"layerId\":\"dd4e1981-717a-4e31-a959-c13317ad6f77\",\"accessor\":\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd4e1981-717a-4e31-a959-c13317ad6f77\":{\"columns\":{\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\":{\"label\":\"Total Unique Services Hosting Ports\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"service.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"ff8cf41e-40d1-4bf9-a828-aa521b19ea54\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":24,\"w\":16,\"h\":30,\"i\":\"4c945e75-db31-435b-b558-76d8cf5b391c\"},\"panelIndex\":\"4c945e75-db31-435b-b558-76d8cf5b391c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-f5451e54-90d4-4c69-a6a9-c600ac385e14\"}],\"state\":{\"visualization\":{\"layerId\":\"f5451e54-90d4-4c69-a6a9-c600ac385e14\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"6b3d57ed-b00b-44ac-a81e-d944444689bb\"},{\"columnId\":\"5a004af6-8051-49f8-9cd3-76e2fef40ee1\",\"isTransposed\":false},{\"columnId\":\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"304d888e-452b-4c1c-8433-f9bf5ccc9483\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f5451e54-90d4-4c69-a6a9-c600ac385e14\":{\"columns\":{\"6b3d57ed-b00b-44ac-a81e-d944444689bb\":{\"label\":\"IP Address\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a004af6-8051-49f8-9cd3-76e2fef40ee1\":{\"label\":\"MAC\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.mac\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\":{\"label\":\"Last Seen\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"event.ingested\",\"filter\":{\"query\":\"event.ingested: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"304d888e-452b-4c1c-8433-f9bf5ccc9483\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6b3d57ed-b00b-44ac-a81e-d944444689bb\",\"5a004af6-8051-49f8-9cd3-76e2fef40ee1\",\"304d888e-452b-4c1c-8433-f9bf5ccc9483\",\"92d6eed0-f933-4ac5-bdf6-6c7baf36f8fa\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Arp History\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Services and Ports", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:49:39.888Z", + "id": "tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "7ce4caed-f1dc-4d52-934f-bf01a1c79c50:panel_7ce4caed-f1dc-4d52-934f-bf01a1c79c50", + "type": "visualization" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "90112a9f-2161-4263-bc42-8af46aeb05e4:indexpattern-datasource-layer-9a26db3f-b1d3-4fb3-8b88-91eec3c3bac6", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "d43241be-bffb-4076-9153-27424a7c9154:indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "39d605bd-cd52-4e81-90fc-15dde8a50450:indexpattern-datasource-layer-4bcc97dc-80c1-4c57-9a0c-aacd0a6a6be1", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "fd1293f8-ebe9-460f-81ab-a4ada0b42050:indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "9c36f7cb-cd04-43e3-80c7-8ec29e797343:indexpattern-datasource-layer-dd4e1981-717a-4e31-a959-c13317ad6f77", + "type": "index-pattern" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "4c945e75-db31-435b-b558-76d8cf5b391c:indexpattern-datasource-layer-f5451e54-90d4-4c69-a6a9-c600ac385e14", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_b1548c53-ca3d-47b3-bc05-664ddc1e045a:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "c957d710-3d4c-11ee-9610-15dee918f31a", + "name": "tag-ref-c957d710-3d4c-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "026431f0-3de5-11ee-9610-15dee918f31a", + "name": "tag-ref-026431f0-3de5-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e2bb7d40-3de4-11ee-9610-15dee918f31a", + "name": "tag-ref-e2bb7d40-3de4-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:49:39.888Z", + "version": "WzgyMTMzMiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-19325010-4597-11ee-83e4-c92ed141b9e5-hardware.json b/packages/tychon/kibana/dashboard/tychon-19325010-4597-11ee-83e4-c92ed141b9e5-hardware.json new file mode 100644 index 00000000000..d9bc571261d --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-19325010-4597-11ee-83e4-c92ed141b9e5-hardware.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": "TYCHON Collects information about all the hardware attached to a device and centrally reports them for device identification and alerting.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":9,\"i\":\"17c7be63-f9af-43b2-b072-46419958ea46\"},\"panelIndex\":\"17c7be63-f9af-43b2-b072-46419958ea46\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Hardware\\nTYCHON collects information about all the hardware attached to a device, this is a running configuration which means devices will update on each execution of its check.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":6,\"h\":9,\"i\":\"7ba08a47-401e-4d22-a992-9c49fc569971\"},\"panelIndex\":\"7ba08a47-401e-4d22-a992-9c49fc569971\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-a1cda907-11f0-4670-aa5e-e3e30f1d24e9\"}],\"state\":{\"visualization\":{\"layerId\":\"a1cda907-11f0-4670-aa5e-e3e30f1d24e9\",\"accessor\":\"fc348028-9e09-4cd5-940b-ef83d2359eed\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a1cda907-11f0-4670-aa5e-e3e30f1d24e9\":{\"columns\":{\"fc348028-9e09-4cd5-940b-ef83d2359eed\":{\"label\":\"Total Number of Devices\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"fc348028-9e09-4cd5-940b-ef83d2359eed\"],\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":0,\"w\":5,\"h\":9,\"i\":\"2e2bf3e3-dff8-43f1-a238-14c583057748\"},\"panelIndex\":\"2e2bf3e3-dff8-43f1-a238-14c583057748\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-180f9fce-b975-42dc-b910-16129cc7ce18\"}],\"state\":{\"visualization\":{\"layerId\":\"180f9fce-b975-42dc-b910-16129cc7ce18\",\"layerType\":\"data\",\"metricAccessor\":\"11470769-8f79-4e86-82ee-4ca06d1d68b9\",\"maxAccessor\":\"a1bf5eb6-4030-44c9-9be1-f817716c0c81\",\"showBar\":true},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"180f9fce-b975-42dc-b910-16129cc7ce18\":{\"columns\":{\"11470769-8f79-4e86-82ee-4ca06d1d68b9\":{\"label\":\"Total Missing\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"device.present : false \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a1bf5eb6-4030-44c9-9be1-f817716c0c81\":{\"label\":\"Total Devices\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"11470769-8f79-4e86-82ee-4ca06d1d68b9\",\"a1bf5eb6-4030-44c9-9be1-f817716c0c81\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":9,\"i\":\"c113e347-dd42-4bc1-9aef-335a839532a6\"},\"panelIndex\":\"c113e347-dd42-4bc1-9aef-335a839532a6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-98992589-ad15-4ced-9b63-1024a02e5ffc\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"area\",\"layers\":[{\"layerId\":\"98992589-ad15-4ced-9b63-1024a02e5ffc\",\"accessors\":[\"65039f2f-1a79-47a9-8bce-bc7973880d19\"],\"position\":\"top\",\"seriesType\":\"area\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6cf9b997-b221-4440-b5eb-2e5ca62085c6\",\"yConfig\":[{\"forAccessor\":\"65039f2f-1a79-47a9-8bce-bc7973880d19\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"98992589-ad15-4ced-9b63-1024a02e5ffc\":{\"columns\":{\"6cf9b997-b221-4440-b5eb-2e5ca62085c6\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"65039f2f-1a79-47a9-8bce-bc7973880d19\":{\"label\":\"Completed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.provider : \\\"TYCHON\\\" and event.code: 8572 \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6cf9b997-b221-4440-b5eb-2e5ca62085c6\",\"65039f2f-1a79-47a9-8bce-bc7973880d19\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hardware Check Runs\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":32,\"i\":\"dddc033e-26c8-4d25-8eaf-7a71e4ede5d1\"},\"panelIndex\":\"dddc033e-26c8-4d25-8eaf-7a71e4ede5d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-de0ffd5a-a84b-408a-8918-277dff49c8b3\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"365f3728-0ff7-4aa1-b698-5c0f73e18885\"},{\"isTransposed\":false,\"columnId\":\"a2dd15c9-029c-45c5-9ffc-2128d8339b73\"}],\"layerId\":\"de0ffd5a-a84b-408a-8918-277dff49c8b3\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"de0ffd5a-a84b-408a-8918-277dff49c8b3\":{\"columns\":{\"365f3728-0ff7-4aa1-b698-5c0f73e18885\":{\"label\":\"Class Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.class\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a2dd15c9-029c-45c5-9ffc-2128d8339b73\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a2dd15c9-029c-45c5-9ffc-2128d8339b73\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"365f3728-0ff7-4aa1-b698-5c0f73e18885\",\"a2dd15c9-029c-45c5-9ffc-2128d8339b73\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Device Class\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":9,\"w\":17,\"h\":32,\"i\":\"c8b42e5a-83d8-4825-a492-da98c13a1a08\"},\"panelIndex\":\"c8b42e5a-83d8-4825-a492-da98c13a1a08\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-34a2436c-07dc-498a-be40-8cb262419c05\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"a95f71cb-2e47-4697-bf7e-85ad057c2d40\"},{\"isTransposed\":false,\"columnId\":\"81d20c1a-4966-49ba-b8f7-8bd498efe960\"}],\"layerId\":\"34a2436c-07dc-498a-be40-8cb262419c05\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"34a2436c-07dc-498a-be40-8cb262419c05\":{\"columns\":{\"a95f71cb-2e47-4697-bf7e-85ad057c2d40\":{\"label\":\"Device Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.name\",\"isBucketed\":true,\"params\":{\"size\":150,\"orderBy\":{\"type\":\"column\",\"columnId\":\"81d20c1a-4966-49ba-b8f7-8bd498efe960\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"81d20c1a-4966-49ba-b8f7-8bd498efe960\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a95f71cb-2e47-4697-bf7e-85ad057c2d40\",\"81d20c1a-4966-49ba-b8f7-8bd498efe960\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Device List\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":26,\"y\":9,\"w\":22,\"h\":32,\"i\":\"4ac216eb-8bcc-494f-9b81-a9fe59ae81ab\"},\"panelIndex\":\"4ac216eb-8bcc-494f-9b81-a9fe59ae81ab\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-ac03e011-a4b2-4b4d-aa4a-cd03927d0caa\"}],\"state\":{\"visualization\":{\"layerId\":\"ac03e011-a4b2-4b4d-aa4a-cd03927d0caa\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"620db13d-b1cc-43ca-9c44-3ebce5134c4b\"},{\"columnId\":\"4ef80e17-b12d-4590-b3d6-ea41e57bb312\"},{\"columnId\":\"598c6951-5020-415f-a8a8-db6f45a2b048\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"28411865-706a-414c-b332-07d027efcd8d\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ac03e011-a4b2-4b4d-aa4a-cd03927d0caa\":{\"columns\":{\"620db13d-b1cc-43ca-9c44-3ebce5134c4b\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4ef80e17-b12d-4590-b3d6-ea41e57bb312\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"598c6951-5020-415f-a8a8-db6f45a2b048\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ef80e17-b12d-4590-b3d6-ea41e57bb312\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"28411865-706a-414c-b332-07d027efcd8d\":{\"label\":\"Domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ef80e17-b12d-4590-b3d6-ea41e57bb312\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"598c6951-5020-415f-a8a8-db6f45a2b048\",\"620db13d-b1cc-43ca-9c44-3ebce5134c4b\",\"28411865-706a-414c-b332-07d027efcd8d\",\"4ef80e17-b12d-4590-b3d6-ea41e57bb312\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"90abb6a6-a494-4eb6-a02d-c2a1e8ee11a8\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Hardware Info in Endpoint Browser\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Top 100 Hosts\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":26,\"h\":26,\"i\":\"0d51f28d-c2bd-4b50-ab4f-ffb355da70e6\"},\"panelIndex\":\"0d51f28d-c2bd-4b50-ab4f-ffb355da70e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-81933fcc-92fd-4aff-a302-cb7b541a46d7\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"81933fcc-92fd-4aff-a302-cb7b541a46d7\",\"primaryGroups\":[\"f827526d-46e8-4209-8473-083bd58d1690\"],\"metrics\":[\"a8290c50-0d81-465f-b289-1d4f0b891052\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"legendPosition\":\"top\",\"legendMaxLines\":2}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"81933fcc-92fd-4aff-a302-cb7b541a46d7\":{\"columns\":{\"f827526d-46e8-4209-8473-083bd58d1690\":{\"label\":\"Top 10 values of device.manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a8290c50-0d81-465f-b289-1d4f0b891052\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"a8290c50-0d81-465f-b289-1d4f0b891052\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f827526d-46e8-4209-8473-083bd58d1690\",\"a8290c50-0d81-465f-b289-1d4f0b891052\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":26,\"y\":41,\"w\":22,\"h\":26,\"i\":\"3c97fa95-19e7-468c-8f1e-b0c7792b4efd\"},\"panelIndex\":\"3c97fa95-19e7-468c-8f1e-b0c7792b4efd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-b2e94ae9-2e1f-4a2f-b746-c80ae4d5f2d1\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"b2e94ae9-2e1f-4a2f-b746-c80ae4d5f2d1\",\"accessors\":[\"e4ac8fc3-809c-4fd0-aa94-e68a0a59a4a2\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9385acc2-ff0d-4789-98d1-8da9ca6e54d9\",\"yConfig\":[{\"forAccessor\":\"e4ac8fc3-809c-4fd0-aa94-e68a0a59a4a2\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b2e94ae9-2e1f-4a2f-b746-c80ae4d5f2d1\":{\"columns\":{\"9385acc2-ff0d-4789-98d1-8da9ca6e54d9\":{\"label\":\"Operating System\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e4ac8fc3-809c-4fd0-aa94-e68a0a59a4a2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e4ac8fc3-809c-4fd0-aa94-e68a0a59a4a2\":{\"label\":\"Total Endpoints\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"9385acc2-ff0d-4789-98d1-8da9ca6e54d9\",\"e4ac8fc3-809c-4fd0-aa94-e68a0a59a4a2\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Hardware Inventory", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-28T11:39:42.189Z", + "id": "tychon-19325010-4597-11ee-83e4-c92ed141b9e5-hardware", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "7ba08a47-401e-4d22-a992-9c49fc569971:indexpattern-datasource-layer-a1cda907-11f0-4670-aa5e-e3e30f1d24e9", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "2e2bf3e3-dff8-43f1-a238-14c583057748:indexpattern-datasource-layer-180f9fce-b975-42dc-b910-16129cc7ce18", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "c113e347-dd42-4bc1-9aef-335a839532a6:indexpattern-datasource-layer-98992589-ad15-4ced-9b63-1024a02e5ffc", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "dddc033e-26c8-4d25-8eaf-7a71e4ede5d1:indexpattern-datasource-layer-de0ffd5a-a84b-408a-8918-277dff49c8b3", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "c8b42e5a-83d8-4825-a492-da98c13a1a08:indexpattern-datasource-layer-34a2436c-07dc-498a-be40-8cb262419c05", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "4ac216eb-8bcc-494f-9b81-a9fe59ae81ab:indexpattern-datasource-layer-ac03e011-a4b2-4b4d-aa4a-cd03927d0caa", + "type": "index-pattern" + }, + { + "id": "tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware", + "name": "4ac216eb-8bcc-494f-9b81-a9fe59ae81ab:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:90abb6a6-a494-4eb6-a02d-c2a1e8ee11a8:dashboardId", + "type": "dashboard" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "0d51f28d-c2bd-4b50-ab4f-ffb355da70e6:indexpattern-datasource-layer-81933fcc-92fd-4aff-a302-cb7b541a46d7", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "3c97fa95-19e7-468c-8f1e-b0c7792b4efd:indexpattern-datasource-layer-b2e94ae9-2e1f-4a2f-b746-c80ae4d5f2d1", + "type": "index-pattern" + }, + { + "id": "tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a", + "name": "tag-ref-tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-tychon-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-tychon-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-28T11:39:42.189Z", + "version": "Wzg5NjcxNywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter.json b/packages/tychon/kibana/dashboard/tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter.json new file mode 100644 index 00000000000..fbf2fcc9447 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"a888c608-f4d6-4b9e-89e5-b23938eae614\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Hostname\",\"fieldName\":\"host.hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"a888c608-f4d6-4b9e-89e5-b23938eae614\",\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Network Cards view displays information about every physical and virtual network interface attached to the endpoint. TYCHON also captures wireless identification information, drivers, dhcp/wins server information, and more.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"89be3f45-0b62-42ac-83fa-2f2f7f9857cb\"},\"panelIndex\":\"89be3f45-0b62-42ac-83fa-2f2f7f9857cb\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_89be3f45-0b62-42ac-83fa-2f2f7f9857cb\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":6,\"h\":11,\"i\":\"40b4e937-487e-44aa-86f1-dbc38e0c2278\"},\"panelIndex\":\"40b4e937-487e-44aa-86f1-dbc38e0c2278\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Network Adapters\\nTYCHON collects all the Network Adapters, virtual and physical, attached to a device. The endpoint will report on the driver it uses, as well as IP-based information for both IP versions 4 and 6. TYCHON will also report connected wireless information if a WIFI adapter is attached to the host.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":3,\"w\":5,\"h\":11,\"i\":\"084075d4-a371-4a99-9bf0-627c41cf8b53\"},\"panelIndex\":\"084075d4-a371-4a99-9bf0-627c41cf8b53\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-af5e1785-c716-4020-a4af-3349819785f8\"}],\"state\":{\"visualization\":{\"layerId\":\"af5e1785-c716-4020-a4af-3349819785f8\",\"accessor\":\"2d4e6a8a-eba5-49c6-a626-be25534c183d\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"af5e1785-c716-4020-a4af-3349819785f8\":{\"columns\":{\"2d4e6a8a-eba5-49c6-a626-be25534c183d\":{\"label\":\"Total Network Adapters\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.adapter.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2d4e6a8a-eba5-49c6-a626-be25534c183d\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":3,\"w\":37,\"h\":11,\"i\":\"f9cc6faa-ea73-4da4-97ab-08f81e9cb3fe\"},\"panelIndex\":\"f9cc6faa-ea73-4da4-97ab-08f81e9cb3fe\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-ff6a221f-469c-4ef6-a8e1-3f697430331c\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"709554a2-6b92-446a-8924-35460cb0962b\"},{\"columnId\":\"9c48cd5b-dbef-4c40-a417-27bfdf6b4721\",\"isTransposed\":false},{\"columnId\":\"886a311d-40aa-44de-9feb-6a9a2d9cc915\",\"isTransposed\":false},{\"columnId\":\"d440007c-1904-4e96-b222-df218f750a23\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\",\"isTransposed\":false}],\"layerId\":\"ff6a221f-469c-4ef6-a8e1-3f697430331c\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ff6a221f-469c-4ef6-a8e1-3f697430331c\":{\"columns\":{\"709554a2-6b92-446a-8924-35460cb0962b\":{\"label\":\"Driver Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9c48cd5b-dbef-4c40-a417-27bfdf6b4721\":{\"label\":\"Driver File\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.file_name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"886a311d-40aa-44de-9feb-6a9a2d9cc915\":{\"label\":\"Provider\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.provider\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"d440007c-1904-4e96-b222-df218f750a23\":{\"label\":\"Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\":{\"label\":\"Driver Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.driver.date\",\"filter\":{\"query\":\"host.adapter.driver.date: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true}},\"columnOrder\":[\"709554a2-6b92-446a-8924-35460cb0962b\",\"d440007c-1904-4e96-b222-df218f750a23\",\"9c48cd5b-dbef-4c40-a417-27bfdf6b4721\",\"886a311d-40aa-44de-9feb-6a9a2d9cc915\",\"e7108e0d-22b2-4f89-9f2b-290ecb6ccca9\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Driver Information\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":10,\"i\":\"15c69399-dcbc-4881-bc99-4818e466265c\"},\"panelIndex\":\"15c69399-dcbc-4881-bc99-4818e466265c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-6a5dd59a-90ba-4d4e-ab97-e829b8d2deb7\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"b1e9f075-199d-446c-8433-c2730dfc96bd\",\"width\":216.75454545454545},{\"isTransposed\":false,\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\",\"hidden\":true},{\"columnId\":\"879a60e7-10d5-42f8-b2c1-01ea749635cb\",\"isTransposed\":false,\"width\":173.97118181818183},{\"columnId\":\"69b26d50-3416-47ef-aa4e-9d2c689b0b63\",\"isTransposed\":false,\"alignment\":\"center\",\"collapseFn\":\"\"},{\"columnId\":\"8ab455b8-c910-4c6a-bcef-affc5bb67e8d\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":116.52673737373738},{\"columnId\":\"602140d9-4086-44be-abc5-897301f23eff\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"f1e5a62a-3593-4d6a-93dc-b907a0c92d91\",\"isTransposed\":false,\"width\":133.65173737373738},{\"columnId\":\"e1189c3c-f074-4ea5-bdc1-dbf36939e37a\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":109.50888023088024},{\"columnId\":\"169ce68c-3a37-46f0-b5ec-009e53190781\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"be1f5181-4560-439a-abb0-bb6c83c22136\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"fc864c56-0a4b-493a-ad61-6ccf28b29ef1\",\"isTransposed\":false,\"width\":94.45454545454547,\"alignment\":\"center\"},{\"columnId\":\"c971cbdc-b632-4b4c-b31d-007efef17ea7\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":121.0790909090909},{\"columnId\":\"0c76bafc-3ee0-4f81-84df-4c2d4360b3bd\",\"isTransposed\":false}],\"layerId\":\"6a5dd59a-90ba-4d4e-ab97-e829b8d2deb7\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6a5dd59a-90ba-4d4e-ab97-e829b8d2deb7\":{\"columns\":{\"b1e9f075-199d-446c-8433-c2730dfc96bd\":{\"label\":\"IP Address\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"08b29813-ec38-4395-8a88-7c889625a8e2\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"879a60e7-10d5-42f8-b2c1-01ea749635cb\":{\"label\":\"MAC Address\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.mac\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"69b26d50-3416-47ef-aa4e-9d2c689b0b63\":{\"label\":\"Domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8ab455b8-c910-4c6a-bcef-affc5bb67e8d\":{\"label\":\"Link Speed\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.link_speed\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"602140d9-4086-44be-abc5-897301f23eff\":{\"label\":\"Media Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.media.type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f1e5a62a-3593-4d6a-93dc-b907a0c92d91\":{\"label\":\"Gateway\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.gateway\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e1189c3c-f074-4ea5-bdc1-dbf36939e37a\":{\"label\":\"MTU\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"host.adapter.mtu\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"169ce68c-3a37-46f0-b5ec-009e53190781\":{\"label\":\"WINS Server\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wins_server\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"be1f5181-4560-439a-abb0-bb6c83c22136\":{\"label\":\"VLAN ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.vlan.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fc864c56-0a4b-493a-ad61-6ccf28b29ef1\":{\"label\":\"Subnet\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.subnet_bit\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c971cbdc-b632-4b4c-b31d-007efef17ea7\":{\"label\":\"Virtual\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.virtual\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0c76bafc-3ee0-4f81-84df-4c2d4360b3bd\":{\"label\":\"Alias\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.alias\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"08b29813-ec38-4395-8a88-7c889625a8e2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"b1e9f075-199d-446c-8433-c2730dfc96bd\",\"fc864c56-0a4b-493a-ad61-6ccf28b29ef1\",\"879a60e7-10d5-42f8-b2c1-01ea749635cb\",\"69b26d50-3416-47ef-aa4e-9d2c689b0b63\",\"8ab455b8-c910-4c6a-bcef-affc5bb67e8d\",\"602140d9-4086-44be-abc5-897301f23eff\",\"f1e5a62a-3593-4d6a-93dc-b907a0c92d91\",\"e1189c3c-f074-4ea5-bdc1-dbf36939e37a\",\"169ce68c-3a37-46f0-b5ec-009e53190781\",\"be1f5181-4560-439a-abb0-bb6c83c22136\",\"c971cbdc-b632-4b4c-b31d-007efef17ea7\",\"0c76bafc-3ee0-4f81-84df-4c2d4360b3bd\",\"08b29813-ec38-4395-8a88-7c889625a8e2\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Network Card Info\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":24,\"w\":14,\"h\":7,\"i\":\"a028776c-7f2e-46e7-b7a0-4b7541293e41\"},\"panelIndex\":\"a028776c-7f2e-46e7-b7a0-4b7541293e41\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-6a5f4190-04a3-4ad6-9a21-ca8517a3de08\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"169f84ee-3fc5-42ee-85b5-0809636c9075\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"1648b1b2-3c66-46bf-8d7b-0812b1a8f85d\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"33a05cbb-825f-4b2b-8354-2ae40a593309\",\"isTransposed\":false},{\"columnId\":\"9d5546e2-9c37-469d-aefc-11c45ba73d0c\",\"isTransposed\":false}],\"layerId\":\"6a5f4190-04a3-4ad6-9a21-ca8517a3de08\",\"layerType\":\"data\"},\"query\":{\"query\":\"host.adapter.dhcp.enabled : true\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6a5f4190-04a3-4ad6-9a21-ca8517a3de08\":{\"columns\":{\"169f84ee-3fc5-42ee-85b5-0809636c9075\":{\"label\":\"Lease Expires\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.dhcp.lease_expires\",\"filter\":{\"query\":\"host.adapter.dhcp.lease_expires: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"1648b1b2-3c66-46bf-8d7b-0812b1a8f85d\":{\"label\":\"Lease Obtained\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.dhcp.lease_obtained\",\"filter\":{\"query\":\"host.adapter.dhcp.lease_obtained: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"33a05cbb-825f-4b2b-8354-2ae40a593309\":{\"label\":\"Top 3 values of host.adapter.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"169f84ee-3fc5-42ee-85b5-0809636c9075\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"9d5546e2-9c37-469d-aefc-11c45ba73d0c\":{\"label\":\"DHCP Server\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.dhcp.server\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"169f84ee-3fc5-42ee-85b5-0809636c9075\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"33a05cbb-825f-4b2b-8354-2ae40a593309\",\"9d5546e2-9c37-469d-aefc-11c45ba73d0c\",\"169f84ee-3fc5-42ee-85b5-0809636c9075\",\"1648b1b2-3c66-46bf-8d7b-0812b1a8f85d\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"DHCP Information\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":24,\"w\":34,\"h\":7,\"i\":\"b67d31de-03fe-4151-94b5-33ee802a20ae\"},\"panelIndex\":\"b67d31de-03fe-4151-94b5-33ee802a20ae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-c5561883-030e-440b-9c1d-213e698c5b49\"}],\"state\":{\"visualization\":{\"layerId\":\"c5561883-030e-440b-9c1d-213e698c5b49\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"e0e7b347-b072-41ed-8937-3a83de5f2555\"},{\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"c6d2c172-9bb9-4444-8137-61ddba2c1c32\",\"isTransposed\":false},{\"columnId\":\"11b024cd-e49d-4b7d-83f4-e3f166cfc941\",\"isTransposed\":false},{\"columnId\":\"789086fb-0e1c-4541-a898-f788cb907cff\",\"isTransposed\":false},{\"columnId\":\"730a85a0-b35e-4f94-bdc5-a5227d02d2cd\",\"isTransposed\":false},{\"columnId\":\"33e14b38-1516-484a-b91f-15a98b79e330\",\"isTransposed\":false},{\"columnId\":\"5c8e3b75-49d8-4fa9-9700-a41806cb4364\",\"isTransposed\":false},{\"columnId\":\"09fe6e46-ea11-4357-bb69-81633e6607e9\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"host.adapter.wifi.enabled : true\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c5561883-030e-440b-9c1d-213e698c5b49\":{\"columns\":{\"e0e7b347-b072-41ed-8937-3a83de5f2555\":{\"label\":\"SSID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.ssid\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3854-b909-47e1-a1fa-306163e857a6\":{\"label\":\"Last value of host.adapter.wifi.signal_percent\",\"dataType\":\"number\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.wifi.signal_percent\",\"filter\":{\"query\":\"host.adapter.wifi.signal_percent: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\",\"format\":{\"id\":\"percent\",\"params\":{\"decimals\":2}}}},\"c6d2c172-9bb9-4444-8137-61ddba2c1c32\":{\"label\":\"WIFI Authentication\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.authentication\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"11b024cd-e49d-4b7d-83f4-e3f166cfc941\":{\"label\":\"WIFI Cipher\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.cipher\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"789086fb-0e1c-4541-a898-f788cb907cff\":{\"label\":\"BSSID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.bssid\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"730a85a0-b35e-4f94-bdc5-a5227d02d2cd\":{\"label\":\"Band\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.band\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"33e14b38-1516-484a-b91f-15a98b79e330\":{\"label\":\"Radio Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.radio_type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5c8e3b75-49d8-4fa9-9700-a41806cb4364\":{\"label\":\"Channel\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.channel\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"09fe6e46-ea11-4357-bb69-81633e6607e9\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c3854-b909-47e1-a1fa-306163e857a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"09fe6e46-ea11-4357-bb69-81633e6607e9\",\"e0e7b347-b072-41ed-8937-3a83de5f2555\",\"789086fb-0e1c-4541-a898-f788cb907cff\",\"c6d2c172-9bb9-4444-8137-61ddba2c1c32\",\"11b024cd-e49d-4b7d-83f4-e3f166cfc941\",\"730a85a0-b35e-4f94-bdc5-a5227d02d2cd\",\"33e14b38-1516-484a-b91f-15a98b79e330\",\"5c8e3b75-49d8-4fa9-9700-a41806cb4364\",\"4a2c3854-b909-47e1-a1fa-306163e857a6\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"WIFI Connections\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Network Cards", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:42:39.548Z", + "id": "tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "89be3f45-0b62-42ac-83fa-2f2f7f9857cb:panel_89be3f45-0b62-42ac-83fa-2f2f7f9857cb", + "type": "visualization" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "084075d4-a371-4a99-9bf0-627c41cf8b53:indexpattern-datasource-layer-af5e1785-c716-4020-a4af-3349819785f8", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "f9cc6faa-ea73-4da4-97ab-08f81e9cb3fe:indexpattern-datasource-layer-ff6a221f-469c-4ef6-a8e1-3f697430331c", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "15c69399-dcbc-4881-bc99-4818e466265c:indexpattern-datasource-layer-6a5dd59a-90ba-4d4e-ab97-e829b8d2deb7", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "a028776c-7f2e-46e7-b7a0-4b7541293e41:indexpattern-datasource-layer-6a5f4190-04a3-4ad6-9a21-ca8517a3de08", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "b67d31de-03fe-4151-94b5-33ee802a20ae:indexpattern-datasource-layer-c5561883-030e-440b-9c1d-213e698c5b49", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_a888c608-f4d6-4b9e-89e5-b23938eae614:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "11990b80-41b6-11ee-83e4-c92ed141b9e5", + "name": "tag-ref-11990b80-41b6-11ee-83e4-c92ed141b9e5", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:42:39.548Z", + "version": "WzgyMDM1NCwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-267716e0-e9d8-11ed-9d4a-9513ae375d2b-epp.json b/packages/tychon/kibana/dashboard/tychon-267716e0-e9d8-11ed-9d4a-9513ae375d2b-epp.json new file mode 100644 index 00000000000..bbbebbaf91a --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-267716e0-e9d8-11ed-9d4a-9513ae375d2b-epp.json @@ -0,0 +1,250 @@ +{ + "attributes": { + "description": "TYCHON captures the status of Trellix, Elastic Defender, and Windows Defender features and versions on endpoints and reports the information in this dashboard.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":14,\"i\":\"d2e09597-e06f-4cf8-8bfd-88d40612b89e\"},\"panelIndex\":\"d2e09597-e06f-4cf8-8bfd-88d40612b89e\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Endpoint Protection Status\\nTYCHON tracks specific Endpoint Protection vendors for enabled features, installed software, and definition versions. Currently, TYCHON supports Trellix, Elastic Defender, and Windows Defender.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":4,\"h\":7,\"i\":\"f9a975c1-d99b-436b-9173-c616f0059426\"},\"panelIndex\":\"f9a975c1-d99b-436b-9173-c616f0059426\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572\",\"id\":\"bb5226cd-c099-46d2-bb71-0257232c7d82\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\",\"accessor\":\"8e04d29a-e144-4e68-a816-7e820fabc9b4\",\"layerType\":\"data\",\"colorMode\":\"None\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\":{\"columns\":{\"8e04d29a-e144-4e68-a816-7e820fabc9b4\":{\"label\":\"Total Endpoints Tracked\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"8e04d29a-e144-4e68-a816-7e820fabc9b4\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":4,\"h\":7,\"i\":\"dca19098-8eb9-440e-abf0-19ef55cee62c\"},\"panelIndex\":\"dca19098-8eb9-440e-abf0-19ef55cee62c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with a Feature Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.antimalware.status : \\\"Disabled\\\" or windows_defender.service.antispyware.status :\\\"Disabled\\\" or windows_defender.service.antivirus.status : \\\"Disabled\\\" or windows_defender.service.behavior_monitor.status : \\\"Disabled\\\" or windows_defender.service.ioav_protection.status : \\\"Disabled\\\" or windows_defender.service.nis.status : \\\"Disabled\\\" or windows_defender.service.on_access_protection.status : \\\"Disabled\\\" or windows_defender.service.real_time_protection.status : \\\"Disabled\\\" \",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":4,\"h\":7,\"i\":\"4383ee4c-ec16-48c2-bb13-8f896a9519d4\"},\"panelIndex\":\"4383ee4c-ec16-48c2-bb13-8f896a9519d4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Anti-Spyware Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.antispyware.status :\\\"Disabled\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":0,\"w\":4,\"h\":7,\"i\":\"d3b08c18-3a64-4ea0-95f1-39ac4198013d\"},\"panelIndex\":\"d3b08c18-3a64-4ea0-95f1-39ac4198013d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Behavior Monitor Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.behavior_monitor.status : \\\"Disabled\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":4,\"h\":7,\"i\":\"ac716d8e-e533-4072-aa74-65848d4e0925\"},\"panelIndex\":\"ac716d8e-e533-4072-aa74-65848d4e0925\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with RealTime Protection Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.real_time_protection.status : \\\"Disabled\\\" \",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":27,\"y\":0,\"w\":4,\"h\":7,\"i\":\"e5b0bf6c-69e6-4892-b691-9bc21f0c6b25\"},\"panelIndex\":\"e5b0bf6c-69e6-4892-b691-9bc21f0c6b25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572\"}],\"state\":{\"visualization\":{\"layerId\":\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\",\"accessor\":\"8e04d29a-e144-4e68-a816-7e820fabc9b4\",\"layerType\":\"data\",\"colorMode\":\"None\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\":{\"columns\":{\"8e04d29a-e144-4e68-a816-7e820fabc9b4\":{\"label\":\"Total Trellix Endpoints Tracked\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.ens.version : \\\"\\\" or not trellix.service.accm.version :\\\"\\\" or not trellix.service.dlp.version :\\\"\\\" or not trellix.service.pa.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"8e04d29a-e144-4e68-a816-7e820fabc9b4\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":4,\"h\":7,\"i\":\"bc5b8947-a82b-44d5-bea7-addfad736ad2\"},\"panelIndex\":\"bc5b8947-a82b-44d5-bea7-addfad736ad2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with ENS Not Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.ens.status : \\\"Running\\\" and not trellix.service.ens.version : \\\"\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not trellix.service.ens.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":35,\"y\":0,\"w\":4,\"h\":7,\"i\":\"370c3dc5-5a15-4347-b9a7-7d75ac86cb10\"},\"panelIndex\":\"370c3dc5-5a15-4347-b9a7-7d75ac86cb10\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with PA Not Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.pa.status : \\\"Running\\\" and not trellix.service.pa.version : \\\"\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not trellix.service.pa.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":39,\"y\":0,\"w\":4,\"h\":7,\"i\":\"116cc01e-5861-4993-baaf-3f0cc2a312cf\"},\"panelIndex\":\"116cc01e-5861-4993-baaf-3f0cc2a312cf\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572\"}],\"state\":{\"visualization\":{\"layerId\":\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\",\"accessor\":\"8e04d29a-e144-4e68-a816-7e820fabc9b4\",\"layerType\":\"data\",\"colorMode\":\"None\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"69f12a8d-98b2-49f6-bbf5-4182bffc0572\":{\"columns\":{\"8e04d29a-e144-4e68-a816-7e820fabc9b4\":{\"label\":\"Total Elastic Defender Tracked\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not elastic.service.endpoint.behavior_protection : \\\"\\\" and not elastic.service.endpoint.malware : \\\"\\\" and not elastic.service.endpoint.memory_protection : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"8e04d29a-e144-4e68-a816-7e820fabc9b4\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":43,\"y\":0,\"w\":4,\"h\":7,\"i\":\"94022264-e2ce-4661-b384-b2b5454b02c8\"},\"panelIndex\":\"94022264-e2ce-4661-b384-b2b5454b02c8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Elastic Malware Protection Not Protecting\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not elastic.service.endpoint.malware: \\\"\\\" and not elastic.service.endpoint.malware : \\\"prevent\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not elastic.service.endpoint.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":7,\"w\":4,\"h\":7,\"i\":\"0336a4e3-a647-415d-84b5-fef984ac4a3f\"},\"panelIndex\":\"0336a4e3-a647-415d-84b5-fef984ac4a3f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with IOAV Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.ioav_protection.status : \\\"Disabled\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":7,\"w\":4,\"h\":7,\"i\":\"5fa1a00d-8e9c-441f-be66-9b5c01663fd7\"},\"panelIndex\":\"5fa1a00d-8e9c-441f-be66-9b5c01663fd7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Anti-Malware Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.antimalware.status : \\\"Disabled\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":4,\"h\":7,\"i\":\"4d4e6682-9758-4359-a6f0-1ba6ca5e40f5\"},\"panelIndex\":\"4d4e6682-9758-4359-a6f0-1ba6ca5e40f5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Anti-Virus Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.antivirus.status : \\\"Disabled\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":7,\"w\":4,\"h\":7,\"i\":\"6a29e48e-892b-4c8a-a3de-8884fd1d9820\"},\"panelIndex\":\"6a29e48e-892b-4c8a-a3de-8884fd1d9820\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with NIS Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.nis.status : \\\"Disabled\\\" \",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":7,\"w\":4,\"h\":7,\"i\":\"33d492ba-c62f-405e-84a2-c0254e8e743c\"},\"panelIndex\":\"33d492ba-c62f-405e-84a2-c0254e8e743c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with On-Access Protection Disabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"windows_defender.service.on_access_protection.status : \\\"Disabled\\\" \",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":27,\"y\":7,\"w\":4,\"h\":7,\"i\":\"685110fd-a3a4-441b-b9b6-42316b8e33ee\"},\"panelIndex\":\"685110fd-a3a4-441b-b9b6-42316b8e33ee\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with ACCM Not Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.accm.status : \\\"Running\\\" and not trellix.service.accm.version : \\\"\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"not trellix.service.accm.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":7,\"w\":4,\"h\":7,\"i\":\"f985f8a3-3272-43d8-90e6-76e56aac5f91\"},\"panelIndex\":\"f985f8a3-3272-43d8-90e6-76e56aac5f91\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with DLP Not Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.dlp.status : \\\"Running\\\" and not trellix.service.dlp.version : \\\"\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not trellix.service.dlp.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":35,\"y\":7,\"w\":4,\"h\":7,\"i\":\"16205847-2ebc-46db-bc4b-606228f52996\"},\"panelIndex\":\"16205847-2ebc-46db-bc4b-606228f52996\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with RSD Not Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not trellix.service.rsd.status : \\\"Running\\\" and not trellix.service.rsd.version : \\\"\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not trellix.service.rsd.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":39,\"y\":7,\"w\":4,\"h\":7,\"i\":\"fb20b198-fe52-4bb3-b6dd-d4d74855ca73\"},\"panelIndex\":\"fb20b198-fe52-4bb3-b6dd-d4d74855ca73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Elastic Behavior Protection Not Protecting\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not elastic.service.endpoint.behavior_protection : \\\"\\\" and not elastic.service.endpoint.behavior_protection : \\\"prevent\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not elastic.service.endpoint.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":43,\"y\":7,\"w\":4,\"h\":7,\"i\":\"5b9ce41f-1950-4c60-8322-a6aa80be383d\"},\"panelIndex\":\"5b9ce41f-1950-4c60-8322-a6aa80be383d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2\"}],\"state\":{\"visualization\":{\"layerId\":\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1.33},{\"color\":\"#d6bf57\",\"stop\":2.66},{\"color\":\"#cc5642\",\"stop\":4}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"showBar\":true,\"maxAccessor\":\"7713b385-a222-4c2f-a03b-6c8d04045c8a\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3bf4a05d-75bb-449c-8fd1-34014d8a71e2\":{\"columns\":{\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\":{\"label\":\"Systems with Elastic Memory Protection Not Protecting\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"not elastic.service.endpoint.memory_protection: \\\"\\\" and not elastic.service.endpoint..memory_protection: \\\"prevent\\\"\",\"language\":\"kuery\"}},\"7713b385-a222-4c2f-a03b-6c8d04045c8a\":{\"label\":\"Unique count of agent.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"not elastic.service.endpoint.version : \\\"\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"82ce687c-6166-4fe3-bad6-69ddbc84ec76\",\"7713b385-a222-4c2f-a03b-6c8d04045c8a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":14,\"w\":24,\"h\":8,\"i\":\"8bbedd4e-bc5e-413d-81a1-b17dd5152428\"},\"panelIndex\":\"8bbedd4e-bc5e-413d-81a1-b17dd5152428\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-c98d407f-b7b6-4f65-bb36-e67d26a3b8cb\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"c98d407f-b7b6-4f65-bb36-e67d26a3b8cb\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"c474b5fc-316d-4b04-a857-0476433994f5\"},{\"isTransposed\":false,\"columnId\":\"7114dee1-3e04-4de2-9f99-63d55defb006\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"0f57cac6-9654-421a-8d33-9ef83fbfbea3\"},{\"isTransposed\":false,\"columnId\":\"9b9d897c-2547-4e0a-bb29-196338b39f13\"},{\"isTransposed\":false,\"columnId\":\"a5a7cc94-56a0-4570-a209-35cd8ef7b3f5\"},{\"isTransposed\":false,\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\",\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c98d407f-b7b6-4f65-bb36-e67d26a3b8cb\":{\"columns\":{\"c474b5fc-316d-4b04-a857-0476433994f5\":{\"label\":\"Host IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ipv4\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7114dee1-3e04-4de2-9f99-63d55defb006\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0f57cac6-9654-421a-8d33-9ef83fbfbea3\":{\"label\":\"On Access Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.on_access_protection.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9b9d897c-2547-4e0a-bb29-196338b39f13\":{\"label\":\"Real Time Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.real_time_protection.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a5a7cc94-56a0-4570-a209-35cd8ef7b3f5\":{\"label\":\"IOAV Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.ioav_protection.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"7114dee1-3e04-4de2-9f99-63d55defb006\",\"c474b5fc-316d-4b04-a857-0476433994f5\",\"0f57cac6-9654-421a-8d33-9ef83fbfbea3\",\"9b9d897c-2547-4e0a-bb29-196338b39f13\",\"a5a7cc94-56a0-4570-a209-35cd8ef7b3f5\",\"6c95c57e-4555-492f-8ad6-40dbd3bb8b12\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"e00a8c06-9b49-4cb8-9cd5-598dbcb26113\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Defender Protection\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":8,\"i\":\"5b7f5afe-074d-4b2e-8a81-53c925c2b698\"},\"panelIndex\":\"5b7f5afe-074d-4b2e-8a81-53c925c2b698\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"isTransposed\":false},{\"columnId\":\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"isTransposed\":false},{\"columnId\":\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"isTransposed\":false},{\"columnId\":\"7e2c653a-cc31-404e-847d-913fb28c20b8\",\"isTransposed\":false},{\"columnId\":\"aa495d01-49df-4dfa-9117-2efb3d4407b5\",\"isTransposed\":false}],\"layerId\":\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\":{\"columns\":{\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\":{\"label\":\"Elastic Agent Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.agent.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"76affbdb-026e-4c4d-ba16-8420cbf56dda\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eff89e1e-c098-4819-a4de-eb050dbbcd13\":{\"label\":\"Elastic Endpoint Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"7e2c653a-cc31-404e-847d-913fb28c20b8\":{\"label\":\"Elastic Agent Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.agent.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"aa495d01-49df-4dfa-9117-2efb3d4407b5\":{\"label\":\"Elastic Endpoint Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"7e2c653a-cc31-404e-847d-913fb28c20b8\",\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"aa495d01-49df-4dfa-9117-2efb3d4407b5\",\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"9dd45bd7-37df-4418-bcf0-00b80fe159a5\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Elastic Endpoint Status \"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":22,\"w\":24,\"h\":8,\"i\":\"3e9e34b5-9c30-4ef2-b616-bd55af84812a\"},\"panelIndex\":\"3e9e34b5-9c30-4ef2-b616-bd55af84812a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Active Antivirus Assets\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-5b735852-dd75-405e-9611-03fcd2e0a96b\"}],\"state\":{\"visualization\":{\"layerId\":\"5b735852-dd75-405e-9611-03fcd2e0a96b\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"485de305-7200-4ba9-b5f5-8af3932725a2\"},{\"isTransposed\":false,\"columnId\":\"33ceb4d0-aaf7-44b2-b3d7-cfe2be3369d9\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5108c5e3-f394-4061-b4a1-81d642c5b986\"},{\"isTransposed\":false,\"columnId\":\"c75b9cff-9203-42a5-aaae-3a7dea61fe25\"},{\"isTransposed\":false,\"columnId\":\"2cb5be2b-d061-4e44-a346-d2613e2d8552\"},{\"isTransposed\":false,\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\",\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5b735852-dd75-405e-9611-03fcd2e0a96b\":{\"columns\":{\"485de305-7200-4ba9-b5f5-8af3932725a2\":{\"label\":\"Host IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ipv4\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"33ceb4d0-aaf7-44b2-b3d7-cfe2be3369d9\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5108c5e3-f394-4061-b4a1-81d642c5b986\":{\"label\":\"Quick Scan Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antivirus.quick_scan.signature_version\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c75b9cff-9203-42a5-aaae-3a7dea61fe25\":{\"label\":\"Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antivirus.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2cb5be2b-d061-4e44-a346-d2613e2d8552\":{\"label\":\"Full Scan Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antivirus.full_scan.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"33ceb4d0-aaf7-44b2-b3d7-cfe2be3369d9\",\"485de305-7200-4ba9-b5f5-8af3932725a2\",\"5108c5e3-f394-4061-b4a1-81d642c5b986\",\"2cb5be2b-d061-4e44-a346-d2613e2d8552\",\"c75b9cff-9203-42a5-aaae-3a7dea61fe25\",\"1eeff7e9-617e-415e-8642-c5b0b4b2f439\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"5aa080e4-d756-4967-92d3-f92a920b315f\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"hidePanelTitles\":false},\"title\":\"Defender Antivirus\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":22,\"w\":24,\"h\":8,\"i\":\"469ca4f4-f561-461b-8067-52e9ccdd675d\"},\"panelIndex\":\"469ca4f4-f561-461b-8067-52e9ccdd675d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"isTransposed\":false},{\"columnId\":\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"isTransposed\":false},{\"columnId\":\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"isTransposed\":false},{\"columnId\":\"d15c5d0e-53c9-4e95-a815-ebbd0ace6b47\",\"isTransposed\":false}],\"layerId\":\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\":{\"columns\":{\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\":{\"label\":\"Trellix ENS Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"76affbdb-026e-4c4d-ba16-8420cbf56dda\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eff89e1e-c098-4819-a4de-eb050dbbcd13\":{\"label\":\"Trellix ENS Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"d15c5d0e-53c9-4e95-a815-ebbd0ace6b47\":{\"label\":\"ENS Signature Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"d15c5d0e-53c9-4e95-a815-ebbd0ace6b47\",\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"39600cce-a379-46d1-9b6a-42c97b06c32d\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Trellix Endpoint Security Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":8,\"i\":\"3e1efdc5-02e7-46ff-bb1d-4642aa1f1327\"},\"panelIndex\":\"3e1efdc5-02e7-46ff-bb1d-4642aa1f1327\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-a4583603-ba5e-4eb5-ab11-7d8f7d5586ce\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"99cf82fa-4ea2-4168-bbe7-cd84efd5b468\"},{\"isTransposed\":false,\"columnId\":\"2ee1d67a-e5d4-4256-9f47-94c77fa3ee8a\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"cfbf81d7-8896-4df5-8b79-4ff131d5d4b4\"},{\"isTransposed\":false,\"columnId\":\"56035903-0bcc-4140-99e4-17c30c1bb440\"},{\"isTransposed\":false,\"columnId\":\"ac68d3d0-92e3-469d-b504-cd609a201cc5\"},{\"isTransposed\":false,\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\",\"hidden\":true}],\"layerId\":\"a4583603-ba5e-4eb5-ab11-7d8f7d5586ce\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a4583603-ba5e-4eb5-ab11-7d8f7d5586ce\":{\"columns\":{\"99cf82fa-4ea2-4168-bbe7-cd84efd5b468\":{\"label\":\"Host IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ipv4\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2ee1d67a-e5d4-4256-9f47-94c77fa3ee8a\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"cfbf81d7-8896-4df5-8b79-4ff131d5d4b4\":{\"label\":\"Product Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antimalware.product_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"56035903-0bcc-4140-99e4-17c30c1bb440\":{\"label\":\"Engine Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antimalware.engine_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ac68d3d0-92e3-469d-b504-cd609a201cc5\":{\"label\":\"Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antimalware.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2ee1d67a-e5d4-4256-9f47-94c77fa3ee8a\",\"99cf82fa-4ea2-4168-bbe7-cd84efd5b468\",\"cfbf81d7-8896-4df5-8b79-4ff131d5d4b4\",\"56035903-0bcc-4140-99e4-17c30c1bb440\",\"ac68d3d0-92e3-469d-b504-cd609a201cc5\",\"e15a4e68-fbf1-40b2-aa20-d993a9e4a214\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"8d9908e0-205b-43ec-8fd4-343ce4057237\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Defender Antimalware\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":8,\"i\":\"d0f95b46-cb78-4246-b605-cf764851569e\"},\"panelIndex\":\"d0f95b46-cb78-4246-b605-cf764851569e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"isTransposed\":false},{\"columnId\":\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"isTransposed\":false},{\"columnId\":\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"isTransposed\":false}],\"layerId\":\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\":{\"columns\":{\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\":{\"label\":\"ACCM Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.accm.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"76affbdb-026e-4c4d-ba16-8420cbf56dda\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eff89e1e-c098-4819-a4de-eb050dbbcd13\":{\"label\":\"ACCM Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.accm.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"9b0c3115-07d2-4a63-be6e-424b453fd041\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"ACCM Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":24,\"h\":8,\"i\":\"08341f8a-a71d-414d-8b73-d1648e343d3c\"},\"panelIndex\":\"08341f8a-a71d-414d-8b73-d1648e343d3c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-6d406795-8e1a-4015-909d-8a0125090f83\"}],\"state\":{\"visualization\":{\"layerId\":\"6d406795-8e1a-4015-909d-8a0125090f83\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"0acc6180-132d-4fc3-b32e-0f3ed79b1712\"},{\"isTransposed\":false,\"columnId\":\"c7fb6c5e-23c3-4584-8325-a715a3e55c0c\"},{\"isTransposed\":false,\"columnId\":\"7d79ed89-257d-412b-b67f-5e7e323485ae\"},{\"isTransposed\":false,\"columnId\":\"dd0ce9a1-5dd8-4836-b4ef-ea94d6b2592b\",\"hidden\":false,\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\",\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6d406795-8e1a-4015-909d-8a0125090f83\":{\"columns\":{\"0acc6180-132d-4fc3-b32e-0f3ed79b1712\":{\"label\":\"Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antispyware.signature_version\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c7fb6c5e-23c3-4584-8325-a715a3e55c0c\":{\"label\":\"Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antispyware.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7d79ed89-257d-412b-b67f-5e7e323485ae\":{\"label\":\"Host IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ipv4\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"dd0ce9a1-5dd8-4836-b4ef-ea94d6b2592b\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"dd0ce9a1-5dd8-4836-b4ef-ea94d6b2592b\",\"7d79ed89-257d-412b-b67f-5e7e323485ae\",\"0acc6180-132d-4fc3-b32e-0f3ed79b1712\",\"c7fb6c5e-23c3-4584-8325-a715a3e55c0c\",\"1291d4e7-6e58-44b4-b7bf-3bb2542c2a07\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"641eddc6-5d50-4512-9409-a6d9f49e7e8a\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Defender Antispyware\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":8,\"i\":\"79fcc1f0-f7d1-4ac5-8b1a-790dcd1ca676\"},\"panelIndex\":\"79fcc1f0-f7d1-4ac5-8b1a-790dcd1ca676\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"isTransposed\":false},{\"columnId\":\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"isTransposed\":false},{\"columnId\":\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"isTransposed\":false}],\"layerId\":\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\":{\"columns\":{\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\":{\"label\":\"RSD Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.rsd.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"76affbdb-026e-4c4d-ba16-8420cbf56dda\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eff89e1e-c098-4819-a4de-eb050dbbcd13\":{\"label\":\"RSD Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.rsd.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"04264bb0-25f8-4128-b7dc-821f46b7dd54\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Trellix Rogue System Detection \"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":8,\"i\":\"dad722ab-af91-4d03-a313-faab0d9533c5\"},\"panelIndex\":\"dad722ab-af91-4d03-a313-faab0d9533c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-140a1766-6ea5-4c9c-9c7c-244b239a9d96\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"ed88526d-22bc-4fe9-bf8c-8054dcf29513\"},{\"isTransposed\":false,\"columnId\":\"3f5af84a-9f76-40dd-aceb-14d89c193701\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"6659fc9a-979e-4207-be9a-c9f73f507897\"},{\"isTransposed\":false,\"columnId\":\"50793a11-2d90-4843-81df-3c65675a9efd\"},{\"isTransposed\":false,\"columnId\":\"100d1fb2-4db6-4ad3-9769-3cefdb067fb8\"},{\"isTransposed\":false,\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\",\"hidden\":true}],\"layerId\":\"140a1766-6ea5-4c9c-9c7c-244b239a9d96\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"140a1766-6ea5-4c9c-9c7c-244b239a9d96\":{\"columns\":{\"ed88526d-22bc-4fe9-bf8c-8054dcf29513\":{\"label\":\"Host IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ipv4\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3f5af84a-9f76-40dd-aceb-14d89c193701\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6659fc9a-979e-4207-be9a-c9f73f507897\":{\"label\":\"Signature Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.nis.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"50793a11-2d90-4843-81df-3c65675a9efd\":{\"label\":\"Engine Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.nis.engine_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"100d1fb2-4db6-4ad3-9769-3cefdb067fb8\":{\"label\":\"Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.nis.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ae33139-d059-4477-890a-06dc7abfb798\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3ae33139-d059-4477-890a-06dc7abfb798\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"3f5af84a-9f76-40dd-aceb-14d89c193701\",\"ed88526d-22bc-4fe9-bf8c-8054dcf29513\",\"6659fc9a-979e-4207-be9a-c9f73f507897\",\"50793a11-2d90-4843-81df-3c65675a9efd\",\"100d1fb2-4db6-4ad3-9769-3cefdb067fb8\",\"3ae33139-d059-4477-890a-06dc7abfb798\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"24732923-c957-4110-8558-e38a86ad50bf\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Defender NIS\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":38,\"w\":24,\"h\":8,\"i\":\"426f8706-b652-422d-a763-19eb6a28916f\"},\"panelIndex\":\"426f8706-b652-422d-a763-19eb6a28916f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"isTransposed\":false},{\"columnId\":\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"isTransposed\":false},{\"columnId\":\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"isTransposed\":false}],\"layerId\":\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f0204bf6-51c3-4a5a-a267-b9d92c0bdcae\":{\"columns\":{\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\":{\"label\":\"Policy Auditor Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.pa.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"76affbdb-026e-4c4d-ba16-8420cbf56dda\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eff89e1e-c098-4819-a4de-eb050dbbcd13\":{\"label\":\"Policy Auditor Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.pa.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"4d4418c0-d3dd-4bc7-8f4b-78fe0a8afaac\",\"76affbdb-026e-4c4d-ba16-8420cbf56dda\",\"85aea8a2-c9c3-4118-8503-c6b9df2c890a\",\"eff89e1e-c098-4819-a4de-eb050dbbcd13\",\"8763a5c5-efbe-4ccb-bdb5-8372b47f69ee\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"547ea5a0-a1ae-4a90-8cd0-7ad0e177b613\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Drill to Endpoint Browser for System\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Trellix Policy Auditor Status\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": " [TYCHON] Endpoint Protection Status", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T21:17:53.197Z", + "id": "tychon-267716e0-e9d8-11ed-9d4a-9513ae375d2b-epp", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "f9a975c1-d99b-436b-9173-c616f0059426:indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "dca19098-8eb9-440e-abf0-19ef55cee62c:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "4383ee4c-ec16-48c2-bb13-8f896a9519d4:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "d3b08c18-3a64-4ea0-95f1-39ac4198013d:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "ac716d8e-e533-4072-aa74-65848d4e0925:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "e5b0bf6c-69e6-4892-b691-9bc21f0c6b25:indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "bc5b8947-a82b-44d5-bea7-addfad736ad2:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "370c3dc5-5a15-4347-b9a7-7d75ac86cb10:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "116cc01e-5861-4993-baaf-3f0cc2a312cf:indexpattern-datasource-layer-69f12a8d-98b2-49f6-bbf5-4182bffc0572", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "94022264-e2ce-4661-b384-b2b5454b02c8:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "0336a4e3-a647-415d-84b5-fef984ac4a3f:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "5fa1a00d-8e9c-441f-be66-9b5c01663fd7:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "4d4e6682-9758-4359-a6f0-1ba6ca5e40f5:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "6a29e48e-892b-4c8a-a3de-8884fd1d9820:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "33d492ba-c62f-405e-84a2-c0254e8e743c:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "685110fd-a3a4-441b-b9b6-42316b8e33ee:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "f985f8a3-3272-43d8-90e6-76e56aac5f91:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "16205847-2ebc-46db-bc4b-606228f52996:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "fb20b198-fe52-4bb3-b6dd-d4d74855ca73:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "5b9ce41f-1950-4c60-8322-a6aa80be383d:indexpattern-datasource-layer-3bf4a05d-75bb-449c-8fd1-34014d8a71e2", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "8bbedd4e-bc5e-413d-81a1-b17dd5152428:indexpattern-datasource-layer-c98d407f-b7b6-4f65-bb36-e67d26a3b8cb", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "8bbedd4e-bc5e-413d-81a1-b17dd5152428:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:e00a8c06-9b49-4cb8-9cd5-598dbcb26113:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "5b7f5afe-074d-4b2e-8a81-53c925c2b698:indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "5b7f5afe-074d-4b2e-8a81-53c925c2b698:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:9dd45bd7-37df-4418-bcf0-00b80fe159a5:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "3e9e34b5-9c30-4ef2-b616-bd55af84812a:indexpattern-datasource-layer-5b735852-dd75-405e-9611-03fcd2e0a96b", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "3e9e34b5-9c30-4ef2-b616-bd55af84812a:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:5aa080e4-d756-4967-92d3-f92a920b315f:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "469ca4f4-f561-461b-8067-52e9ccdd675d:indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "469ca4f4-f561-461b-8067-52e9ccdd675d:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:39600cce-a379-46d1-9b6a-42c97b06c32d:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "3e1efdc5-02e7-46ff-bb1d-4642aa1f1327:indexpattern-datasource-layer-a4583603-ba5e-4eb5-ab11-7d8f7d5586ce", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "3e1efdc5-02e7-46ff-bb1d-4642aa1f1327:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:8d9908e0-205b-43ec-8fd4-343ce4057237:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "d0f95b46-cb78-4246-b605-cf764851569e:indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "d0f95b46-cb78-4246-b605-cf764851569e:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:9b0c3115-07d2-4a63-be6e-424b453fd041:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "08341f8a-a71d-414d-8b73-d1648e343d3c:indexpattern-datasource-layer-6d406795-8e1a-4015-909d-8a0125090f83", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "08341f8a-a71d-414d-8b73-d1648e343d3c:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:641eddc6-5d50-4512-9409-a6d9f49e7e8a:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "79fcc1f0-f7d1-4ac5-8b1a-790dcd1ca676:indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "79fcc1f0-f7d1-4ac5-8b1a-790dcd1ca676:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:04264bb0-25f8-4128-b7dc-821f46b7dd54:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "dad722ab-af91-4d03-a313-faab0d9533c5:indexpattern-datasource-layer-140a1766-6ea5-4c9c-9c7c-244b239a9d96", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "dad722ab-af91-4d03-a313-faab0d9533c5:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:24732923-c957-4110-8558-e38a86ad50bf:dashboardId", + "type": "dashboard" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "426f8706-b652-422d-a763-19eb6a28916f:indexpattern-datasource-layer-f0204bf6-51c3-4a5a-a267-b9d92c0bdcae", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "426f8706-b652-422d-a763-19eb6a28916f:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:547ea5a0-a1ae-4a90-8cd0-7ad0e177b613:dashboardId", + "type": "dashboard" + }, + { + "id": "bae88930-1133-11ee-af86-538da1394f27", + "name": "tag-ref-bae88930-1133-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T21:17:53.197Z", + "version": "WzgyMjcwNiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-2bd4ca50-3dfd-11ee-9610-15dee918f31a-softwareinventory.json b/packages/tychon/kibana/dashboard/tychon-2bd4ca50-3dfd-11ee-9610-15dee918f31a-softwareinventory.json new file mode 100644 index 00000000000..195fc2fb98f --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-2bd4ca50-3dfd-11ee-9610-15dee918f31a-softwareinventory.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"8f5ba1f4-07f6-41a9-85c0-6060d10c200a\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExists\":true,\"hideExclude\":true,\"id\":\"8f5ba1f4-07f6-41a9-85c0-6060d10c200a\",\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Software Inventory view displays all installed Applications and Products on a computer, its version, and the last time it was seen.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":true,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"341d7ddd-16bc-4f9d-ab47-a7f337ad3a76\"},\"panelIndex\":\"341d7ddd-16bc-4f9d-ab47-a7f337ad3a76\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true},\"panelRefName\":\"panel_341d7ddd-16bc-4f9d-ab47-a7f337ad3a76\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":5,\"h\":10,\"i\":\"f9aaeeaf-3553-4857-b4e6-d6d73056341e\"},\"panelIndex\":\"f9aaeeaf-3553-4857-b4e6-d6d73056341e\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Software Installed\\nTYCHON reports both Windows Store applications and typical installed programs. TYCHON does not drop records when applications are removed and will update apps when they are added or upgraded.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":5,\"y\":3,\"w\":7,\"h\":10,\"i\":\"ea1f4eb7-c8ef-4907-a106-734dac97ec4b\"},\"panelIndex\":\"ea1f4eb7-c8ef-4907-a106-734dac97ec4b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e0015160-781d-4885-9ae6-04230d059bfb\",\"name\":\"indexpattern-datasource-layer-8edfce3b-22f2-4c48-a63f-825b9418bcf3\"}],\"state\":{\"visualization\":{\"layerId\":\"8edfce3b-22f2-4c48-a63f-825b9418bcf3\",\"accessor\":\"e78025b8-c96b-45bd-8202-8b5a06fb8355\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"8edfce3b-22f2-4c48-a63f-825b9418bcf3\":{\"columns\":{\"e78025b8-c96b-45bd-8202-8b5a06fb8355\":{\"label\":\"Total Software Installed\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"package.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"e78025b8-c96b-45bd-8202-8b5a06fb8355\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":3,\"w\":10,\"h\":10,\"i\":\"b75181e4-77ee-4c10-b857-154234080c8c\"},\"panelIndex\":\"b75181e4-77ee-4c10-b857-154234080c8c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e0015160-781d-4885-9ae6-04230d059bfb\",\"name\":\"indexpattern-datasource-layer-03a2e212-519d-46f5-868b-a7c914f289e0\"}],\"state\":{\"visualization\":{\"shape\":\"mosaic\",\"palette\":{\"type\":\"palette\",\"name\":\"cool\"},\"layers\":[{\"layerId\":\"03a2e212-519d-46f5-868b-a7c914f289e0\",\"primaryGroups\":[\"cbf846c8-f838-4483-8097-2225de0b3d57\"],\"secondaryGroups\":[],\"metrics\":[\"dd21a1e4-6110-4b11-a1a7-674a03e262c0\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"allowMultipleMetrics\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"03a2e212-519d-46f5-868b-a7c914f289e0\":{\"columns\":{\"cbf846c8-f838-4483-8097-2225de0b3d57\":{\"label\":\"Package Types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"package.type\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd21a1e4-6110-4b11-a1a7-674a03e262c0\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"dd21a1e4-6110-4b11-a1a7-674a03e262c0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"cbf846c8-f838-4483-8097-2225de0b3d57\",\"dd21a1e4-6110-4b11-a1a7-674a03e262c0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Software Type\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":22,\"y\":3,\"w\":26,\"h\":10,\"i\":\"92b47b97-ad52-40c2-9b89-bbde77e7f00e\"},\"panelIndex\":\"92b47b97-ad52-40c2-9b89-bbde77e7f00e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e0015160-781d-4885-9ae6-04230d059bfb\",\"name\":\"indexpattern-datasource-layer-057703a5-7f81-4be1-82c4-2f27bbf2615c\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"057703a5-7f81-4be1-82c4-2f27bbf2615c\",\"accessors\":[\"3ffc6314-731f-4048-b5b6-a1d673384858\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"888ceeac-4036-4b29-a96a-c49d9b4602c3\",\"yConfig\":[{\"forAccessor\":\"3ffc6314-731f-4048-b5b6-a1d673384858\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"057703a5-7f81-4be1-82c4-2f27bbf2615c\":{\"columns\":{\"888ceeac-4036-4b29-a96a-c49d9b4602c3\":{\"label\":\"Publisher\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"package.publisher\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3ffc6314-731f-4048-b5b6-a1d673384858\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3ffc6314-731f-4048-b5b6-a1d673384858\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"888ceeac-4036-4b29-a96a-c49d9b4602c3\",\"3ffc6314-731f-4048-b5b6-a1d673384858\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Software By Publisher\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":33,\"i\":\"6e3b23f2-6754-4dda-a428-f68e622ed411\"},\"panelIndex\":\"6e3b23f2-6754-4dda-a428-f68e622ed411\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e0015160-781d-4885-9ae6-04230d059bfb\",\"name\":\"indexpattern-datasource-layer-a8eb0e1b-2c4e-4717-b533-0b39e227a2a8\"}],\"state\":{\"visualization\":{\"layerId\":\"a8eb0e1b-2c4e-4717-b533-0b39e227a2a8\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bd55582e-c727-4f43-93cf-c1dfbfc46c40\",\"alignment\":\"left\"},{\"columnId\":\"529bf337-2458-4752-a815-7a5d0d84dc32\",\"hidden\":true},{\"columnId\":\"a4df1e47-a590-44d4-8bc5-e120c094a1ca\",\"isTransposed\":false,\"alignment\":\"left\"},{\"columnId\":\"a20d1958-fa8e-476c-acf9-74c0323c65d3\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"28fd934b-7413-4196-b397-f42832cfa4c1\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8eb0e1b-2c4e-4717-b533-0b39e227a2a8\":{\"columns\":{\"bd55582e-c727-4f43-93cf-c1dfbfc46c40\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"package.name\",\"isBucketed\":true,\"params\":{\"size\":500,\"orderBy\":{\"type\":\"column\",\"columnId\":\"529bf337-2458-4752-a815-7a5d0d84dc32\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"529bf337-2458-4752-a815-7a5d0d84dc32\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"a4df1e47-a590-44d4-8bc5-e120c094a1ca\":{\"label\":\"Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"529bf337-2458-4752-a815-7a5d0d84dc32\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a20d1958-fa8e-476c-acf9-74c0323c65d3\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"package.type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"529bf337-2458-4752-a815-7a5d0d84dc32\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"28fd934b-7413-4196-b397-f42832cfa4c1\":{\"label\":\"Last Seen\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"@timestamp\",\"filter\":{\"query\":\"@timestamp: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true}},\"columnOrder\":[\"bd55582e-c727-4f43-93cf-c1dfbfc46c40\",\"a4df1e47-a590-44d4-8bc5-e120c094a1ca\",\"a20d1958-fa8e-476c-acf9-74c0323c65d3\",\"529bf337-2458-4752-a815-7a5d0d84dc32\",\"28fd934b-7413-4196-b397-f42832cfa4c1\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Installed Software and Applications\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Software Inventory", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:46:31.347Z", + "id": "tychon-2bd4ca50-3dfd-11ee-9610-15dee918f31a-softwareinventory", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "341d7ddd-16bc-4f9d-ab47-a7f337ad3a76:panel_341d7ddd-16bc-4f9d-ab47-a7f337ad3a76", + "type": "visualization" + }, + { + "id": "e0015160-781d-4885-9ae6-04230d059bfb", + "name": "ea1f4eb7-c8ef-4907-a106-734dac97ec4b:indexpattern-datasource-layer-8edfce3b-22f2-4c48-a63f-825b9418bcf3", + "type": "index-pattern" + }, + { + "id": "e0015160-781d-4885-9ae6-04230d059bfb", + "name": "b75181e4-77ee-4c10-b857-154234080c8c:indexpattern-datasource-layer-03a2e212-519d-46f5-868b-a7c914f289e0", + "type": "index-pattern" + }, + { + "id": "e0015160-781d-4885-9ae6-04230d059bfb", + "name": "92b47b97-ad52-40c2-9b89-bbde77e7f00e:indexpattern-datasource-layer-057703a5-7f81-4be1-82c4-2f27bbf2615c", + "type": "index-pattern" + }, + { + "id": "e0015160-781d-4885-9ae6-04230d059bfb", + "name": "6e3b23f2-6754-4dda-a428-f68e622ed411:indexpattern-datasource-layer-a8eb0e1b-2c4e-4717-b533-0b39e227a2a8", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_8f5ba1f4-07f6-41a9-85c0-6060d10c200a:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "27edf330-3dfd-11ee-9610-15dee918f31a", + "name": "tag-ref-27edf330-3dfd-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:46:31.347Z", + "version": "WzgyMDk3MSwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve.json b/packages/tychon/kibana/dashboard/tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve.json new file mode 100644 index 00000000000..e187b2f0425 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"8c4d7403-b7c0-4274-9e12-cec69c62e01e\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"8c4d7403-b7c0-4274-9e12-cec69c62e01e\",\"enhancements\":{},\"selectedOptions\":[]}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Vulnerabilities view displays all CVEs checked by TYCHON and reported as passed or failed.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"e243d9ab-d083-4b45-88a2-9581bf3689ae\"},\"panelIndex\":\"e243d9ab-d083-4b45-88a2-9581bf3689ae\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_e243d9ab-d083-4b45-88a2-9581bf3689ae\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":7,\"h\":8,\"i\":\"9c9464be-67ab-4220-bbab-50cfda4e211f\"},\"panelIndex\":\"9c9464be-67ab-4220-bbab-50cfda4e211f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Vulnerabilities\\nTYCHON will scan and report what CVEs are vulnerable on an endpoint, this is a local check using OVAL and customized content. Severity and third-party identifiers like IAVA and CISA dates are pre-correlated at the endpoint in its definition.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":3,\"w\":8,\"h\":8,\"i\":\"18ef0327-ab0a-46d7-ac9c-bf8d01e28eba\"},\"panelIndex\":\"18ef0327-ab0a-46d7-ac9c-bf8d01e28eba\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\"}],\"state\":{\"visualization\":{\"layerId\":\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\",\"accessor\":\"f0df1a7d-307a-40d6-9925-8afb18d9808c\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"l\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":100}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null},{\"color\":\"#209280\",\"stop\":0},{\"color\":\"#cc5642\",\"stop\":1}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"vulnerability.due_date \u003c now and vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\":{\"columns\":{\"f0df1a7d-307a-40d6-9925-8afb18d9808c\":{\"label\":\"Failed Vulnerabilities Pass Due\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"f0df1a7d-307a-40d6-9925-8afb18d9808c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":3,\"w\":8,\"h\":8,\"i\":\"0f3331b8-da1a-452c-a1b0-39a5558a1379\"},\"panelIndex\":\"0f3331b8-da1a-452c-a1b0-39a5558a1379\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\"}],\"state\":{\"visualization\":{\"layerId\":\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\",\"accessor\":\"f0df1a7d-307a-40d6-9925-8afb18d9808c\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"l\"},\"query\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\":{\"columns\":{\"f0df1a7d-307a-40d6-9925-8afb18d9808c\":{\"label\":\"Total Failed Vulnerabilities\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"f0df1a7d-307a-40d6-9925-8afb18d9808c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":3,\"w\":8,\"h\":8,\"i\":\"91a3fb55-660d-48ec-89f2-4e5b3122b49b\"},\"panelIndex\":\"91a3fb55-660d-48ec-89f2-4e5b3122b49b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\"}],\"state\":{\"visualization\":{\"layerId\":\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\",\"accessor\":\"f0df1a7d-307a-40d6-9925-8afb18d9808c\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"l\"},\"query\":{\"query\":\"vulnerability.result : \\\"fail\\\" and vulnerability.due_date_reason : \\\"iava\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\":{\"columns\":{\"f0df1a7d-307a-40d6-9925-8afb18d9808c\":{\"label\":\"Total IAVA Failed Vulnerabilities\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"f0df1a7d-307a-40d6-9925-8afb18d9808c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":40,\"y\":3,\"w\":8,\"h\":8,\"i\":\"ecee7b3f-f07e-4911-bb36-405e687f3ae0\"},\"panelIndex\":\"ecee7b3f-f07e-4911-bb36-405e687f3ae0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\"}],\"state\":{\"visualization\":{\"layerId\":\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\",\"accessor\":\"f0df1a7d-307a-40d6-9925-8afb18d9808c\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"l\"},\"query\":{\"query\":\"vulnerability.result : \\\"fail\\\" and vulnerability.due_date_reason : \\\"cisa\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b\":{\"columns\":{\"f0df1a7d-307a-40d6-9925-8afb18d9808c\":{\"label\":\"Total CISA Failed Vulnerabilities\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"f0df1a7d-307a-40d6-9925-8afb18d9808c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":3,\"w\":9,\"h\":8,\"i\":\"eadda9a3-732f-4ad7-81fb-7abc16fe4bd2\"},\"panelIndex\":\"eadda9a3-732f-4ad7-81fb-7abc16fe4bd2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-cd8f844b-1401-4c37-9b58-7ee816064353\"}],\"state\":{\"visualization\":{\"layerId\":\"cd8f844b-1401-4c37-9b58-7ee816064353\",\"accessor\":\"4db8ade0-256f-4272-99a0-61495a90c327\",\"layerType\":\"data\",\"colorMode\":\"None\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"cd8f844b-1401-4c37-9b58-7ee816064353\":{\"columns\":{\"4db8ade0-256f-4272-99a0-61495a90c327\":{\"label\":\"Total Vulnerabilities\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"4db8ade0-256f-4272-99a0-61495a90c327\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":11,\"w\":16,\"h\":16,\"i\":\"721cfff2-211b-4e21-a5a7-874dcd0e6edc\"},\"panelIndex\":\"721cfff2-211b-4e21-a5a7-874dcd0e6edc\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-9f9cf1ce-1e59-4b0f-a264-04b877d4dfba\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"9f9cf1ce-1e59-4b0f-a264-04b877d4dfba\",\"accessors\":[\"c3ae2971-d1a3-447e-9679-439492ce7757\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"efb8128a-a1e5-46bb-8278-9c81fb97f741\",\"yConfig\":[{\"forAccessor\":\"c3ae2971-d1a3-447e-9679-439492ce7757\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9f9cf1ce-1e59-4b0f-a264-04b877d4dfba\":{\"columns\":{\"efb8128a-a1e5-46bb-8278-9c81fb97f741\":{\"label\":\"Severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c3ae2971-d1a3-447e-9679-439492ce7757\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c3ae2971-d1a3-447e-9679-439492ce7757\":{\"label\":\"Unique count of vulnerability.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"efb8128a-a1e5-46bb-8278-9c81fb97f741\",\"c3ae2971-d1a3-447e-9679-439492ce7757\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities By Severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":32,\"h\":15,\"i\":\"30647fae-03f0-46a0-b6a6-96f4b9692227\"},\"panelIndex\":\"30647fae-03f0-46a0-b6a6-96f4b9692227\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-d268dc70-0f0d-443b-b702-d08241bc0733\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"ac337e99-130a-4af6-a771-32b72b41ea02\",\"alignment\":\"left\"},{\"columnId\":\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\",\"isTransposed\":false},{\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":5,\"stops\":[{\"color\":\"#D6BF57\",\"stop\":4},{\"color\":\"#d69d57\",\"stop\":6},{\"color\":\"#e7664c\",\"stop\":8},{\"color\":\"#cc5642\",\"stop\":100}],\"name\":\"custom\",\"colorStops\":[{\"color\":\"#D6BF57\",\"stop\":0},{\"color\":\"#d69d57\",\"stop\":4},{\"color\":\"#e7664c\",\"stop\":6},{\"color\":\"#cc5642\",\"stop\":8}],\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"isTransposed\":false},{\"columnId\":\"7c5f284d-4d53-4b1d-bde1-dd7d0b6eaac9\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"c97d1951-13d7-4266-a021-151ea9e8b441\",\"isTransposed\":false},{\"columnId\":\"05257a37-66cb-4415-979e-b99535b47e1d\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"d268dc70-0f0d-443b-b702-d08241bc0733\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"direction\":\"asc\"}},\"query\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d268dc70-0f0d-443b-b702-d08241bc0733\":{\"columns\":{\"ac337e99-130a-4af6-a771-32b72b41ea02\":{\"label\":\"Vulnerability ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\":{\"label\":\"Title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.title\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\":{\"label\":\"NVD Score\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"vulnerability.score.base\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"vulnerability.result: *\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\":{\"label\":\"Result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.result\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7c5f284d-4d53-4b1d-bde1-dd7d0b6eaac9\":{\"label\":\"IAVA\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.iava\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c97d1951-13d7-4266-a021-151ea9e8b441\":{\"label\":\"Due Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"vulnerability.due_date\",\"filter\":{\"query\":\"vulnerability.due_date: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"05257a37-66cb-4415-979e-b99535b47e1d\":{\"label\":\"Due Date Category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.due_date_reason\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"ac337e99-130a-4af6-a771-32b72b41ea02\",\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\",\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"7c5f284d-4d53-4b1d-bde1-dd7d0b6eaac9\",\"05257a37-66cb-4415-979e-b99535b47e1d\",\"c97d1951-13d7-4266-a021-151ea9e8b441\",\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Failed CVEs\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":27,\"w\":16,\"h\":18,\"i\":\"b146db26-e963-43f4-b2cd-60eb96128506\"},\"panelIndex\":\"b146db26-e963-43f4-b2cd-60eb96128506\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-52771762-574a-44e5-b312-212bca766745\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"},\"layers\":[{\"layerId\":\"52771762-574a-44e5-b312-212bca766745\",\"primaryGroups\":[\"21eb78e0-4d9a-4896-b595-ed36a4c81086\"],\"metrics\":[\"d694059d-3e12-48e0-8534-c02795963840\"],\"numberDisplay\":\"value\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"52771762-574a-44e5-b312-212bca766745\":{\"columns\":{\"21eb78e0-4d9a-4896-b595-ed36a4c81086\":{\"label\":\"Top 20 values of vulnerability.year\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.year\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"d694059d-3e12-48e0-8534-c02795963840\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"d694059d-3e12-48e0-8534-c02795963840\":{\"label\":\"Unique count of vulnerability.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"21eb78e0-4d9a-4896-b595-ed36a4c81086\",\"d694059d-3e12-48e0-8534-c02795963840\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities by Year\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":32,\"h\":19,\"i\":\"a004f187-6f6e-4875-b63e-2b50db064884\"},\"panelIndex\":\"a004f187-6f6e-4875-b63e-2b50db064884\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-d268dc70-0f0d-443b-b702-d08241bc0733\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"ac337e99-130a-4af6-a771-32b72b41ea02\",\"alignment\":\"left\"},{\"columnId\":\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\",\"isTransposed\":false},{\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":5,\"stops\":[{\"color\":\"#45e245\",\"stop\":3},{\"color\":\"#d69d57\",\"stop\":5},{\"color\":\"#df7d6c\",\"stop\":7},{\"color\":\"#e63410\",\"stop\":7.599999904632568}],\"name\":\"custom\",\"colorStops\":[{\"color\":\"#45e245\",\"stop\":1},{\"color\":\"#d69d57\",\"stop\":3},{\"color\":\"#df7d6c\",\"stop\":5},{\"color\":\"#e63410\",\"stop\":7}],\"continuity\":\"none\",\"reverse\":false,\"rangeMin\":1,\"rangeMax\":10,\"rangeType\":\"number\"}}},{\"columnId\":\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"isTransposed\":false},{\"columnId\":\"cc9726cd-0333-4030-8ef7-8ca6a134cd74\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"d268dc70-0f0d-443b-b702-d08241bc0733\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"direction\":\"asc\"}},\"query\":{\"query\":\"vulnerability.result : \\\"pass\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d268dc70-0f0d-443b-b702-d08241bc0733\":{\"columns\":{\"ac337e99-130a-4af6-a771-32b72b41ea02\":{\"label\":\"Vulnerability ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\":{\"label\":\"Title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.title\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\":{\"label\":\"NVD Score\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"vulnerability.score.base\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"vulnerability.result: *\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\":{\"label\":\"Result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.result\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"cc9726cd-0333-4030-8ef7-8ca6a134cd74\":{\"label\":\"IAVA\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.iava\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"ac337e99-130a-4af6-a771-32b72b41ea02\",\"5e9e7b30-a800-4757-b55c-e7bc60ed32be\",\"eeb56262-f4a7-451c-9a81-dfb12bc296c6\",\"cc9726cd-0333-4030-8ef7-8ca6a134cd74\",\"9d6c754b-aacd-4f6a-8f86-1fb01e957616\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Passed CVEs\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Vulnerabilities ", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:51:50.468Z", + "id": "tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "e243d9ab-d083-4b45-88a2-9581bf3689ae:panel_e243d9ab-d083-4b45-88a2-9581bf3689ae", + "type": "visualization" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "18ef0327-ab0a-46d7-ac9c-bf8d01e28eba:indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "0f3331b8-da1a-452c-a1b0-39a5558a1379:indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "91a3fb55-660d-48ec-89f2-4e5b3122b49b:indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "ecee7b3f-f07e-4911-bb36-405e687f3ae0:indexpattern-datasource-layer-b5de6e20-9f56-4bec-b4b3-1acb9eb2e76b", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "eadda9a3-732f-4ad7-81fb-7abc16fe4bd2:indexpattern-datasource-layer-cd8f844b-1401-4c37-9b58-7ee816064353", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "721cfff2-211b-4e21-a5a7-874dcd0e6edc:indexpattern-datasource-layer-9f9cf1ce-1e59-4b0f-a264-04b877d4dfba", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "30647fae-03f0-46a0-b6a6-96f4b9692227:indexpattern-datasource-layer-d268dc70-0f0d-443b-b702-d08241bc0733", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "b146db26-e963-43f4-b2cd-60eb96128506:indexpattern-datasource-layer-52771762-574a-44e5-b312-212bca766745", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "a004f187-6f6e-4875-b63e-2b50db064884:indexpattern-datasource-layer-d268dc70-0f0d-443b-b702-d08241bc0733", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_8c4d7403-b7c0-4274-9e12-cec69c62e01e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "tychon-a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-9c222660-1100-11ee-af86-538da1394f27", + "name": "tag-ref-9c222660-1100-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:51:50.468Z", + "version": "WzgyMTUxMywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive.json b/packages/tychon/kibana/dashboard/tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive.json new file mode 100644 index 00000000000..92a033e8db0 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"fddd86d2-bc58-48d0-880d-f1d537f90bdc\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"fddd86d2-bc58-48d0-880d-f1d537f90bdc\",\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Drives and Disks view displays current Hard Drive and Partitions attached to endpoints at the time TYCHON performed its check.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"d8ad9dec-a73f-4cc6-b9d3-c175e2b6feea\"},\"panelIndex\":\"d8ad9dec-a73f-4cc6-b9d3-c175e2b6feea\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Host Info](/app/dashboards#/view/6165bf50-3dbf-11ee-9610-15dee918f31a) | [Drives and Disks](/app/dashboards#/view/380b6c10-3dbd-11ee-9610-15dee918f31a) | [Apps and Software](/app/dashboards#/view/2bd4ca50-3dfd-11ee-9610-15dee918f31a) | [Hardware](/app/dashboards#/view/993e07a0-3e02-11ee-9610-15dee918f31a) | [Vulnerabilities](/app/dashboards#/view/2de7a3c0-3e08-11ee-9610-15dee918f31a) | Benchmark Results | Patches | [Services and Ports](/app/dashboards#/view/0c036be0-3de5-11ee-9610-15dee918f31a) | Protections\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_d8ad9dec-a73f-4cc6-b9d3-c175e2b6feea\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":6,\"h\":12,\"i\":\"fa484c10-d1a8-45e8-9385-be1a0df6ddba\"},\"panelIndex\":\"fa484c10-d1a8-45e8-9385-be1a0df6ddba\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Drives and Volumes\\nInvestigate the hard drives and volumes attached to this endpoint. TYCHON will evaluate this dataset every hour and report all attached drives (hard drives, cd roms, etc.) and all assigned volumes (c:\\\\, d:\\\\, boot, etc.). You will be able to investigate the hardware in-use, the size of the volume and other datapoints critical to the function of the compute on this device.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":3,\"w\":5,\"h\":6,\"i\":\"aba0b52b-5f8e-4c87-956d-eea8f7c385fb\"},\"panelIndex\":\"aba0b52b-5f8e-4c87-956d-eea8f7c385fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-7cbc7137-0f64-4584-a31c-272e19b5be9a\"}],\"state\":{\"visualization\":{\"layerId\":\"7cbc7137-0f64-4584-a31c-272e19b5be9a\",\"accessor\":\"06ea4772-193a-450f-a877-f50c5a4e283a\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7cbc7137-0f64-4584-a31c-272e19b5be9a\":{\"columns\":{\"06ea4772-193a-450f-a877-f50c5a4e283a\":{\"label\":\"Total Number of Drives\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"06ea4772-193a-450f-a877-f50c5a4e283a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":3,\"w\":37,\"h\":12,\"i\":\"f40d683e-92a6-422e-876c-4363f16dade0\"},\"panelIndex\":\"f40d683e-92a6-422e-876c-4363f16dade0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"62456a9a-bd4c-4b57-b6b5-5556b6869ce5\",\"name\":\"indexpattern-datasource-layer-ab5ae478-53f7-419a-a1ec-7b08492df989\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"bb301745-ba84-41cf-a000-5c7bdf0ae217\"},{\"isTransposed\":false,\"columnId\":\"dc614c64-8d46-46ac-b6a7-419bc064d294\",\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":5,\"stops\":[{\"color\":\"#cc5642\",\"stop\":10},{\"color\":\"#e7664c\",\"stop\":30},{\"color\":\"#d6bf57\",\"stop\":60},{\"color\":\"#54b399\",\"stop\":80},{\"color\":\"#209280\",\"stop\":100}],\"name\":\"custom\",\"colorStops\":[{\"color\":\"#cc5642\",\"stop\":0},{\"color\":\"#e7664c\",\"stop\":10},{\"color\":\"#d6bf57\",\"stop\":30},{\"color\":\"#54b399\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null,\"rangeType\":\"percent\"}}},{\"columnId\":\"31942166-8460-454d-af8d-2f4c3ea1ac36\",\"isTransposed\":false},{\"columnId\":\"6e3c8cf1-6de2-4760-9e2b-24be0f13b383\",\"isTransposed\":false},{\"columnId\":\"c362c064-87fe-4a40-abae-a2fe669d0d9e\",\"isTransposed\":false},{\"columnId\":\"a22124c5-1d7c-4bf4-96b1-1acbfeae8a69\",\"isTransposed\":false,\"colorMode\":\"cell\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":5,\"stops\":[{\"color\":\"#6092C0\",\"stop\":1},{\"color\":\"#54b399\",\"stop\":90},{\"color\":\"#d9816f\",\"stop\":95},{\"color\":\"#cc5642\",\"stop\":100}],\"name\":\"custom\",\"colorStops\":[{\"color\":\"#6092C0\",\"stop\":0},{\"color\":\"#54b399\",\"stop\":1},{\"color\":\"#d9816f\",\"stop\":90},{\"color\":\"#cc5642\",\"stop\":95}],\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"e3caee5f-96aa-404c-ba25-e1dbd58f75ee\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"ab5ae478-53f7-419a-a1ec-7b08492df989\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ab5ae478-53f7-419a-a1ec-7b08492df989\":{\"columns\":{\"bb301745-ba84-41cf-a000-5c7bdf0ae217\":{\"label\":\"Drive Letter\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.drive.letter\",\"isBucketed\":true,\"params\":{\"size\":15,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dc614c64-8d46-46ac-b6a7-419bc064d294\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"dc614c64-8d46-46ac-b6a7-419bc064d294\":{\"label\":\"Freespace\",\"dataType\":\"number\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"volume.freespace\",\"filter\":{\"query\":\"volume.freespace: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\",\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"31942166-8460-454d-af8d-2f4c3ea1ac36\":{\"label\":\"File System\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.file_system\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dc614c64-8d46-46ac-b6a7-419bc064d294\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"6e3c8cf1-6de2-4760-9e2b-24be0f13b383\":{\"label\":\"Total Size\",\"dataType\":\"number\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"volume.size\",\"filter\":{\"query\":\"volume.size: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\",\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"c362c064-87fe-4a40-abae-a2fe669d0d9e\":{\"label\":\"Volume Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dc614c64-8d46-46ac-b6a7-419bc064d294\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a22124c5-1d7c-4bf4-96b1-1acbfeae8a69\":{\"label\":\"Percent Full\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"volume.percent_full\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e3caee5f-96aa-404c-ba25-e1dbd58f75ee\":{\"label\":\"System Volume\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.system_volume\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dc614c64-8d46-46ac-b6a7-419bc064d294\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"bb301745-ba84-41cf-a000-5c7bdf0ae217\",\"c362c064-87fe-4a40-abae-a2fe669d0d9e\",\"31942166-8460-454d-af8d-2f4c3ea1ac36\",\"e3caee5f-96aa-404c-ba25-e1dbd58f75ee\",\"dc614c64-8d46-46ac-b6a7-419bc064d294\",\"6e3c8cf1-6de2-4760-9e2b-24be0f13b383\",\"a22124c5-1d7c-4bf4-96b1-1acbfeae8a69\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Volumes\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":8,\"i\":\"20040d41-ab77-43a7-b5e2-a962b042275c\"},\"panelIndex\":\"20040d41-ab77-43a7-b5e2-a962b042275c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-9836a928-d429-4c9f-be78-970504fd7573\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"466ad901-c0e8-4f1c-a36f-b8c8370de454\"},{\"columnId\":\"a8ee904a-9d39-496b-a859-9bc09827b706\",\"isTransposed\":false},{\"columnId\":\"8a78a361-1cac-40b6-a0f4-f4f1253f0941\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"ee278da4-5b1a-4e70-b4db-7ffc47a3c227\",\"isTransposed\":false},{\"columnId\":\"5b76281a-e942-4469-ae3a-5d756240a842\",\"isTransposed\":false},{\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\",\"isTransposed\":false,\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":20},{\"color\":\"#aed3ca\",\"stop\":40},{\"color\":\"#85bdb1\",\"stop\":60},{\"color\":\"#5aa898\",\"stop\":80},{\"color\":\"#209280\",\"stop\":100}]}},\"alignment\":\"center\"},{\"columnId\":\"ef7ef096-329c-45a0-91b3-85e31ddbfcb7\",\"isTransposed\":false},{\"columnId\":\"da851de3-b924-48b8-afaa-588e632a6cdb\",\"isTransposed\":false},{\"columnId\":\"7f594f0b-a1ca-4244-bfbc-84b803eff59f\",\"isTransposed\":false}],\"layerId\":\"9836a928-d429-4c9f-be78-970504fd7573\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9836a928-d429-4c9f-be78-970504fd7573\":{\"columns\":{\"466ad901-c0e8-4f1c-a36f-b8c8370de454\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a8ee904a-9d39-496b-a859-9bc09827b706\":{\"label\":\"Boot Device\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.is_boot\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8a78a361-1cac-40b6-a0f4-f4f1253f0941\":{\"label\":\"Health\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.health_status\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ee278da4-5b1a-4e70-b4db-7ffc47a3c227\":{\"label\":\"Model\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.model\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5b76281a-e942-4469-ae3a-5d756240a842\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\":{\"label\":\"Sum of disk.size\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"disk.size\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}}},\"ef7ef096-329c-45a0-91b3-85e31ddbfcb7\":{\"label\":\"Offline\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.offline\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"da851de3-b924-48b8-afaa-588e632a6cdb\":{\"label\":\"Serial Number\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.serial_number\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7f594f0b-a1ca-4244-bfbc-84b803eff59f\":{\"label\":\"Firmware Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.firmware.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"466ad901-c0e8-4f1c-a36f-b8c8370de454\",\"ee278da4-5b1a-4e70-b4db-7ffc47a3c227\",\"5b76281a-e942-4469-ae3a-5d756240a842\",\"a8ee904a-9d39-496b-a859-9bc09827b706\",\"8a78a361-1cac-40b6-a0f4-f4f1253f0941\",\"ef7ef096-329c-45a0-91b3-85e31ddbfcb7\",\"da851de3-b924-48b8-afaa-588e632a6cdb\",\"7f594f0b-a1ca-4244-bfbc-84b803eff59f\",\"a3c42a2e-e6c9-44ce-88ed-0664fb15a79f\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Disk Info\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":7,\"i\":\"4944f397-3eac-4bf8-a31e-8f6477febb89\"},\"panelIndex\":\"4944f397-3eac-4bf8-a31e-8f6477febb89\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-cb34ca0a-d538-48ee-ba32-3a258367dcc6\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8ad0cfb3-0f6d-4812-83a5-9839604bd3bf\",\"alignment\":\"center\"},{\"isTransposed\":false,\"columnId\":\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"},{\"columnId\":\"a0c8e3f2-e88a-4fc8-acc1-3a73985a5e81\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"1149bbca-2c04-4d09-822d-dc0a4a0d419e\",\"isTransposed\":false},{\"columnId\":\"4f2d2bac-b756-40d3-80ac-8ff4be4cd605\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"b9ce9f0e-8634-42b2-8717-f64db6f1d7ae\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"faab2332-ae0e-4731-8443-d8beb158987e\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"cb34ca0a-d538-48ee-ba32-3a258367dcc6\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"cb34ca0a-d538-48ee-ba32-3a258367dcc6\":{\"columns\":{\"8ad0cfb3-0f6d-4812-83a5-9839604bd3bf\":{\"label\":\"Adapter Location\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.location.adapter\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"a0c8e3f2-e88a-4fc8-acc1-3a73985a5e81\":{\"label\":\"Bus Location\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.location.bus\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1149bbca-2c04-4d09-822d-dc0a4a0d419e\":{\"label\":\"Disk Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4f2d2bac-b756-40d3-80ac-8ff4be4cd605\":{\"label\":\"PCI Slot\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.location.pci_slot\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b9ce9f0e-8634-42b2-8717-f64db6f1d7ae\":{\"label\":\"Function\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"disk.location.function\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"faab2332-ae0e-4731-8443-d8beb158987e\":{\"label\":\"Device Location\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"disk.location.device\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true}},\"columnOrder\":[\"1149bbca-2c04-4d09-822d-dc0a4a0d419e\",\"4f2d2bac-b756-40d3-80ac-8ff4be4cd605\",\"8ad0cfb3-0f6d-4812-83a5-9839604bd3bf\",\"a0c8e3f2-e88a-4fc8-acc1-3a73985a5e81\",\"b9ce9f0e-8634-42b2-8717-f64db6f1d7ae\",\"faab2332-ae0e-4731-8443-d8beb158987e\",\"927d6f73-38bc-4ab6-b19d-53a7ca3969bf\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Disk Locations\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":9,\"w\":5,\"h\":6,\"i\":\"13d03391-5f61-4049-833c-e90f550134ee\"},\"panelIndex\":\"13d03391-5f61-4049-833c-e90f550134ee\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"62456a9a-bd4c-4b57-b6b5-5556b6869ce5\",\"name\":\"indexpattern-datasource-layer-7cbc7137-0f64-4584-a31c-272e19b5be9a\"}],\"state\":{\"visualization\":{\"layerId\":\"7cbc7137-0f64-4584-a31c-272e19b5be9a\",\"accessor\":\"06ea4772-193a-450f-a877-f50c5a4e283a\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7cbc7137-0f64-4584-a31c-272e19b5be9a\":{\"columns\":{\"06ea4772-193a-450f-a877-f50c5a4e283a\":{\"label\":\"Total Number of Volumes\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"06ea4772-193a-450f-a877-f50c5a4e283a\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Drives and Disks", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:45:01.909Z", + "id": "tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "d8ad9dec-a73f-4cc6-b9d3-c175e2b6feea:panel_d8ad9dec-a73f-4cc6-b9d3-c175e2b6feea", + "type": "visualization" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "aba0b52b-5f8e-4c87-956d-eea8f7c385fb:indexpattern-datasource-layer-7cbc7137-0f64-4584-a31c-272e19b5be9a", + "type": "index-pattern" + }, + { + "id": "62456a9a-bd4c-4b57-b6b5-5556b6869ce5", + "name": "f40d683e-92a6-422e-876c-4363f16dade0:indexpattern-datasource-layer-ab5ae478-53f7-419a-a1ec-7b08492df989", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "20040d41-ab77-43a7-b5e2-a962b042275c:indexpattern-datasource-layer-9836a928-d429-4c9f-be78-970504fd7573", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "4944f397-3eac-4bf8-a31e-8f6477febb89:indexpattern-datasource-layer-cb34ca0a-d538-48ee-ba32-3a258367dcc6", + "type": "index-pattern" + }, + { + "id": "62456a9a-bd4c-4b57-b6b5-5556b6869ce5", + "name": "13d03391-5f61-4049-833c-e90f550134ee:indexpattern-datasource-layer-7cbc7137-0f64-4584-a31c-272e19b5be9a", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_fddd86d2-bc58-48d0-880d-f1d537f90bdc:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "7f851220-3d41-11ee-9610-15dee918f31a", + "name": "tag-ref-7f851220-3d41-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:45:01.909Z", + "version": "WzgyMDc1MywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-3cb855d0-3c5e-11ee-8557-a7ea91123f8b-networkadapter.json b/packages/tychon/kibana/dashboard/tychon-3cb855d0-3c5e-11ee-8557-a7ea91123f8b-networkadapter.json new file mode 100644 index 00000000000..ea6671fe98c --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-3cb855d0-3c5e-11ee-8557-a7ea91123f8b-networkadapter.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "description": "TYCHON collects all network adapters attached to computers. It tracks WIFI modules, DHCP lease information as well as Hardware data like drivers and MAC addresses.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":5,\"h\":12,\"i\":\"d49517b7-b398-4f73-8ece-762088585b93\"},\"panelIndex\":\"d49517b7-b398-4f73-8ece-762088585b93\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Network Adapters\\n\\nTYCHON collects network adapters, including their settings and the hardware associated with them, on an hourly basis. This is a running configuration of the endpoint; updates are sent for previously identified adapters and new records are sent if they are found.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":5,\"y\":0,\"w\":8,\"h\":12,\"i\":\"7f62756c-e202-4cfe-941c-efadbe5e5d44\"},\"panelIndex\":\"7f62756c-e202-4cfe-941c-efadbe5e5d44\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-d0ae3dee-4383-481f-aef0-daf860c05856\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"d0ae3dee-4383-481f-aef0-daf860c05856\",\"primaryGroups\":[\"5d80b5b5-18f3-4e68-89ea-9e8f4f3a5513\"],\"metrics\":[\"bd0319f0-b85b-481d-abde-21648d07caa7\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"hide\",\"nestedLegend\":false,\"layerType\":\"data\",\"percentDecimals\":1,\"emptySizeRatio\":0.7,\"collapseFns\":{\"5d80b5b5-18f3-4e68-89ea-9e8f4f3a5513\":\"\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d0ae3dee-4383-481f-aef0-daf860c05856\":{\"columns\":{\"5d80b5b5-18f3-4e68-89ea-9e8f4f3a5513\":{\"label\":\"Top 5 values of host.adapter.ip_filter.enabled\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip_filter.enabled\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bd0319f0-b85b-481d-abde-21648d07caa7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bd0319f0-b85b-481d-abde-21648d07caa7\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"5d80b5b5-18f3-4e68-89ea-9e8f4f3a5513\",\"bd0319f0-b85b-481d-abde-21648d07caa7\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"IP Filtering Enabled\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":0,\"w\":9,\"h\":12,\"i\":\"e32e4e7e-d84d-4f31-9a0d-a57ab471c406\"},\"panelIndex\":\"e32e4e7e-d84d-4f31-9a0d-a57ab471c406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-8c16b6e7-b3ab-468a-be34-9eaa64761bc4\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"8c16b6e7-b3ab-468a-be34-9eaa64761bc4\",\"primaryGroups\":[\"da1553ec-49af-40ed-ae81-3f0f934cb82c\"],\"metrics\":[\"e9a53c29-8278-4d38-86d9-c3d714781f13\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"8c16b6e7-b3ab-468a-be34-9eaa64761bc4\":{\"columns\":{\"da1553ec-49af-40ed-ae81-3f0f934cb82c\":{\"label\":\"Top 5 values of host.adapter.dhcp.enabled\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.dhcp.enabled\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e9a53c29-8278-4d38-86d9-c3d714781f13\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"e9a53c29-8278-4d38-86d9-c3d714781f13\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"da1553ec-49af-40ed-ae81-3f0f934cb82c\",\"e9a53c29-8278-4d38-86d9-c3d714781f13\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"DHCP Enabled\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":22,\"y\":0,\"w\":9,\"h\":12,\"i\":\"9936786e-a55c-4b9a-aa4b-b8d980f57126\"},\"panelIndex\":\"9936786e-a55c-4b9a-aa4b-b8d980f57126\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-89d857bd-b2bf-4a46-a223-daa5fbc8d974\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"89d857bd-b2bf-4a46-a223-daa5fbc8d974\",\"primaryGroups\":[\"ab2f98ea-92e9-4b85-8ac9-83aa0cadfcef\"],\"metrics\":[\"85eb49da-cefb-4e08-b5e1-8a420138b003\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"89d857bd-b2bf-4a46-a223-daa5fbc8d974\":{\"columns\":{\"ab2f98ea-92e9-4b85-8ac9-83aa0cadfcef\":{\"label\":\"Top 5 values of host.adapter.wifi.enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.enabled\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"85eb49da-cefb-4e08-b5e1-8a420138b003\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":false},\"85eb49da-cefb-4e08-b5e1-8a420138b003\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"ab2f98ea-92e9-4b85-8ac9-83aa0cadfcef\",\"85eb49da-cefb-4e08-b5e1-8a420138b003\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Wifi Enabled\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":9,\"h\":12,\"i\":\"df122ed7-85d7-41b1-a9a9-047e43b8f3a1\"},\"panelIndex\":\"df122ed7-85d7-41b1-a9a9-047e43b8f3a1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-478c5274-7721-46c2-b0f5-d42bd3449cce\"}],\"state\":{\"visualization\":{\"layerId\":\"478c5274-7721-46c2-b0f5-d42bd3449cce\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"2601cadf-de30-40c7-84fb-c3f338ccc376\"},{\"columnId\":\"cb480377-d348-4319-9392-8cd5de727be0\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"478c5274-7721-46c2-b0f5-d42bd3449cce\":{\"columns\":{\"2601cadf-de30-40c7-84fb-c3f338ccc376\":{\"label\":\"WIFI Authentication\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.authentication\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"cb480377-d348-4319-9392-8cd5de727be0\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"cb480377-d348-4319-9392-8cd5de727be0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2601cadf-de30-40c7-84fb-c3f338ccc376\",\"cb480377-d348-4319-9392-8cd5de727be0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top WIFI Authentication\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":12,\"i\":\"d648a9c0-0648-419b-b79b-71e1ee8a9a72\"},\"panelIndex\":\"d648a9c0-0648-419b-b79b-71e1ee8a9a72\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-a9f337a1-9ff1-4aae-ad4f-594b27fae2b3\"}],\"state\":{\"visualization\":{\"layerId\":\"a9f337a1-9ff1-4aae-ad4f-594b27fae2b3\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"59edd0fe-bf89-4d01-bbd4-02affe8ec26b\"},{\"columnId\":\"066b12e0-e98d-463e-9786-758d37cdd4cb\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a9f337a1-9ff1-4aae-ad4f-594b27fae2b3\":{\"columns\":{\"59edd0fe-bf89-4d01-bbd4-02affe8ec26b\":{\"label\":\"WIFI Cipher\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.cipher\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"066b12e0-e98d-463e-9786-758d37cdd4cb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"066b12e0-e98d-463e-9786-758d37cdd4cb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"59edd0fe-bf89-4d01-bbd4-02affe8ec26b\",\"066b12e0-e98d-463e-9786-758d37cdd4cb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top WIFI Ciphers\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":31,\"h\":12,\"i\":\"543e1534-9b02-483a-a90d-64133a9f3949\"},\"panelIndex\":\"543e1534-9b02-483a-a90d-64133a9f3949\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-aeef0279-8407-4694-9a27-0c3160e7ac86\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"aeef0279-8407-4694-9a27-0c3160e7ac86\",\"accessors\":[\"bfa9be94-5153-418c-89aa-3629fc8e8977\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f5441746-7ad5-47c1-a7f1-5bb1c1ebbc5b\",\"yConfig\":[{\"forAccessor\":\"bfa9be94-5153-418c-89aa-3629fc8e8977\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"event.code:8502 \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aeef0279-8407-4694-9a27-0c3160e7ac86\":{\"columns\":{\"f5441746-7ad5-47c1-a7f1-5bb1c1ebbc5b\":{\"label\":\"events\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.ingested\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":false},\"customLabel\":true},\"bfa9be94-5153-418c-89aa-3629fc8e8977\":{\"label\":\"Reporting Hosts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f5441746-7ad5-47c1-a7f1-5bb1c1ebbc5b\",\"bfa9be94-5153-418c-89aa-3629fc8e8977\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":12,\"w\":17,\"h\":12,\"i\":\"1f76e42c-0430-4e02-97bb-62ebd19fd592\"},\"panelIndex\":\"1f76e42c-0430-4e02-97bb-62ebd19fd592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-3c9abebd-e23f-413d-abb5-f2bcca35a2f4\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"97ec5e03-9fbc-4f67-8023-d03a325cd9c1\",\"isTransposed\":false},{\"columnId\":\"afb2746e-d5b5-4e13-b935-4d5c2d553258\",\"isTransposed\":false}],\"layerId\":\"3c9abebd-e23f-413d-abb5-f2bcca35a2f4\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3c9abebd-e23f-413d-abb5-f2bcca35a2f4\":{\"columns\":{\"97ec5e03-9fbc-4f67-8023-d03a325cd9c1\":{\"label\":\"SSID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.ssid\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"afb2746e-d5b5-4e13-b935-4d5c2d553258\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"afb2746e-d5b5-4e13-b935-4d5c2d553258\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"97ec5e03-9fbc-4f67-8023-d03a325cd9c1\",\"afb2746e-d5b5-4e13-b935-4d5c2d553258\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Wireless SSIDs\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":24,\"w\":31,\"h\":15,\"i\":\"c6dfaa90-2cfe-4e80-9df0-668ed93cc376\"},\"panelIndex\":\"c6dfaa90-2cfe-4e80-9df0-668ed93cc376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-32ff30b7-29b3-4d44-ad6b-75b5ac82b7d1\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"844bced9-2788-47f0-a95c-866804591aab\"},{\"isTransposed\":false,\"columnId\":\"7824c0bb-7bc5-4b20-a164-2c9ba76b0b20\"},{\"isTransposed\":false,\"columnId\":\"3c7a969e-bdf4-466b-8992-d15d21ed19a4\"},{\"isTransposed\":false,\"columnId\":\"97cd8085-627d-4dc1-b014-3b9a9281a580\"},{\"isTransposed\":false,\"columnId\":\"64ab5703-ecdb-4c44-9ea2-4a79689c8a33\"},{\"isTransposed\":false,\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\",\"hidden\":true},{\"columnId\":\"fd305582-42c8-4034-af5b-9bad7687ca56\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"32ff30b7-29b3-4d44-ad6b-75b5ac82b7d1\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"32ff30b7-29b3-4d44-ad6b-75b5ac82b7d1\":{\"columns\":{\"844bced9-2788-47f0-a95c-866804591aab\":{\"label\":\"Host IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7824c0bb-7bc5-4b20-a164-2c9ba76b0b20\":{\"label\":\"MAC\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.mac\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3c7a969e-bdf4-466b-8992-d15d21ed19a4\":{\"label\":\"Adapter IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"97cd8085-627d-4dc1-b014-3b9a9281a580\":{\"label\":\"Adapter MAC\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.mac\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"64ab5703-ecdb-4c44-9ea2-4a79689c8a33\":{\"label\":\"Domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"887116a6-6ac3-4495-a2b0-dffe493e7963\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"fd305582-42c8-4034-af5b-9bad7687ca56\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"887116a6-6ac3-4495-a2b0-dffe493e7963\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"844bced9-2788-47f0-a95c-866804591aab\",\"7824c0bb-7bc5-4b20-a164-2c9ba76b0b20\",\"3c7a969e-bdf4-466b-8992-d15d21ed19a4\",\"97cd8085-627d-4dc1-b014-3b9a9281a580\",\"64ab5703-ecdb-4c44-9ea2-4a79689c8a33\",\"fd305582-42c8-4034-af5b-9bad7687ca56\",\"887116a6-6ac3-4495-a2b0-dffe493e7963\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"f98ddf9f-1272-4629-a78f-34be39b396c9\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to Dashboard\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"hidePanelTitles\":false},\"title\":\"Adapter Information\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":24,\"w\":17,\"h\":29,\"i\":\"b6ab1ca4-6059-46f3-aeb5-179d697bd31e\"},\"panelIndex\":\"b6ab1ca4-6059-46f3-aeb5-179d697bd31e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-b2b81cdf-b376-4b7b-8c8a-2dcba80a5592\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"db31a9cd-02fb-4e53-8189-6b4cf20e622b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"60a1e7e5-b330-4283-801d-5257bd50d8ff\"},{\"isTransposed\":false,\"columnId\":\"cc510be1-9910-472e-9293-4d969fed4df5\"},{\"isTransposed\":false,\"columnId\":\"298203d5-0914-4aaa-97a8-bd1a1c99f441\",\"width\":164.4,\"hidden\":true},{\"columnId\":\"09a3d3c8-e208-4954-aa8f-cc0e9adbb427\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"84773659-f553-44c6-a891-2a319c961733\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"b2b81cdf-b376-4b7b-8c8a-2dcba80a5592\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b2b81cdf-b376-4b7b-8c8a-2dcba80a5592\":{\"columns\":{\"db31a9cd-02fb-4e53-8189-6b4cf20e622b\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"298203d5-0914-4aaa-97a8-bd1a1c99f441\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"60a1e7e5-b330-4283-801d-5257bd50d8ff\":{\"label\":\"DHCP Server\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.dhcp.server\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"298203d5-0914-4aaa-97a8-bd1a1c99f441\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"cc510be1-9910-472e-9293-4d969fed4df5\":{\"label\":\"DHCP Enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.dhcp.enabled\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"298203d5-0914-4aaa-97a8-bd1a1c99f441\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"298203d5-0914-4aaa-97a8-bd1a1c99f441\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"09a3d3c8-e208-4954-aa8f-cc0e9adbb427\":{\"label\":\"Lease Expires\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.dhcp.lease_expires\",\"filter\":{\"query\":\"host.adapter.dhcp.lease_expires: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"84773659-f553-44c6-a891-2a319c961733\":{\"label\":\"Lease Obtained\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.adapter.dhcp.lease_obtained\",\"filter\":{\"query\":\"host.adapter.dhcp.lease_obtained: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true}},\"columnOrder\":[\"db31a9cd-02fb-4e53-8189-6b4cf20e622b\",\"60a1e7e5-b330-4283-801d-5257bd50d8ff\",\"cc510be1-9910-472e-9293-4d969fed4df5\",\"298203d5-0914-4aaa-97a8-bd1a1c99f441\",\"09a3d3c8-e208-4954-aa8f-cc0e9adbb427\",\"84773659-f553-44c6-a891-2a319c961733\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"06b99334-2f3a-4fea-88a9-f8ff484a0273\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to Dashboard\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"hidePanelTitles\":false},\"title\":\"DHCP Leases\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":39,\"w\":31,\"h\":14,\"i\":\"e44243ce-1dd7-4d08-bdfd-ada361b702ba\"},\"panelIndex\":\"e44243ce-1dd7-4d08-bdfd-ada361b702ba\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-5d4423cc-ea65-4dde-b95c-c03fc25f421e\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"80d969cb-519d-4f44-896e-414e3855ff30\"},{\"isTransposed\":false,\"columnId\":\"49a08f10-2a5d-45a1-80f4-c1217d6a3ba9\"},{\"isTransposed\":false,\"columnId\":\"5ed2292c-513d-4a4b-81f0-450b471824bf\"},{\"isTransposed\":false,\"columnId\":\"0d310f9d-a56d-4091-979d-170a9f4c6933\"},{\"isTransposed\":false,\"columnId\":\"4ebd68ae-b793-42be-a295-0271f7ab93cb\",\"width\":139.66666666666666,\"hidden\":true}],\"layerId\":\"5d4423cc-ea65-4dde-b95c-c03fc25f421e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5d4423cc-ea65-4dde-b95c-c03fc25f421e\":{\"columns\":{\"80d969cb-519d-4f44-896e-414e3855ff30\":{\"label\":\"Driver Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ebd68ae-b793-42be-a295-0271f7ab93cb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"49a08f10-2a5d-45a1-80f4-c1217d6a3ba9\":{\"label\":\"Driver Provider\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.provider\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ebd68ae-b793-42be-a295-0271f7ab93cb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5ed2292c-513d-4a4b-81f0-450b471824bf\":{\"label\":\"Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ebd68ae-b793-42be-a295-0271f7ab93cb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0d310f9d-a56d-4091-979d-170a9f4c6933\":{\"label\":\"File\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.driver.file_name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ebd68ae-b793-42be-a295-0271f7ab93cb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4ebd68ae-b793-42be-a295-0271f7ab93cb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"80d969cb-519d-4f44-896e-414e3855ff30\",\"49a08f10-2a5d-45a1-80f4-c1217d6a3ba9\",\"5ed2292c-513d-4a4b-81f0-450b471824bf\",\"0d310f9d-a56d-4091-979d-170a9f4c6933\",\"4ebd68ae-b793-42be-a295-0271f7ab93cb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Network Card Drivers\"}]", + "timeRestore": false, + "title": "[TYCHON] Host Network Adapters", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-24T11:25:58.181Z", + "id": "tychon-3cb855d0-3c5e-11ee-8557-a7ea91123f8b-networkadapter", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "7f62756c-e202-4cfe-941c-efadbe5e5d44:indexpattern-datasource-layer-d0ae3dee-4383-481f-aef0-daf860c05856", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "e32e4e7e-d84d-4f31-9a0d-a57ab471c406:indexpattern-datasource-layer-8c16b6e7-b3ab-468a-be34-9eaa64761bc4", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "9936786e-a55c-4b9a-aa4b-b8d980f57126:indexpattern-datasource-layer-89d857bd-b2bf-4a46-a223-daa5fbc8d974", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "df122ed7-85d7-41b1-a9a9-047e43b8f3a1:indexpattern-datasource-layer-478c5274-7721-46c2-b0f5-d42bd3449cce", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "d648a9c0-0648-419b-b79b-71e1ee8a9a72:indexpattern-datasource-layer-a9f337a1-9ff1-4aae-ad4f-594b27fae2b3", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "543e1534-9b02-483a-a90d-64133a9f3949:indexpattern-datasource-layer-aeef0279-8407-4694-9a27-0c3160e7ac86", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "1f76e42c-0430-4e02-97bb-62ebd19fd592:indexpattern-datasource-layer-3c9abebd-e23f-413d-abb5-f2bcca35a2f4", + "type": "index-pattern" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "c6dfaa90-2cfe-4e80-9df0-668ed93cc376:indexpattern-datasource-layer-32ff30b7-29b3-4d44-ad6b-75b5ac82b7d1", + "type": "index-pattern" + }, + { + "id": "tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter", + "name": "c6dfaa90-2cfe-4e80-9df0-668ed93cc376:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:f98ddf9f-1272-4629-a78f-34be39b396c9:dashboardId", + "type": "dashboard" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "b6ab1ca4-6059-46f3-aeb5-179d697bd31e:indexpattern-datasource-layer-b2b81cdf-b376-4b7b-8c8a-2dcba80a5592", + "type": "index-pattern" + }, + { + "id": "tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter", + "name": "b6ab1ca4-6059-46f3-aeb5-179d697bd31e:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:06b99334-2f3a-4fea-88a9-f8ff484a0273:dashboardId", + "type": "dashboard" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "e44243ce-1dd7-4d08-bdfd-ada361b702ba:indexpattern-datasource-layer-5d4423cc-ea65-4dde-b95c-c03fc25f421e", + "type": "index-pattern" + }, + { + "id": "11990b80-41b6-11ee-83e4-c92ed141b9e5", + "name": "tag-ref-11990b80-41b6-11ee-83e4-c92ed141b9e5", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-24T11:25:58.181Z", + "version": "WzgyNzcwNywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host.json b/packages/tychon/kibana/dashboard/tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host.json new file mode 100644 index 00000000000..666bee04e0e --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"374dee3b-0adb-43f7-87d4-a8b9c1c9c1c5\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"374dee3b-0adb-43f7-87d4-a8b9c1c9c1c5\",\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Host Information view displays overall Operating System data and summary information from its subordinate datasets (disks, drives, vulnerabilities, benchmarks, etc.).", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"2d1446f2-6aee-4a7c-84e2-aeffa6c5cf9d\"},\"panelIndex\":\"2d1446f2-6aee-4a7c-84e2-aeffa6c5cf9d\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_2d1446f2-6aee-4a7c-84e2-aeffa6c5cf9d\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":6,\"h\":10,\"i\":\"a5029f8a-476b-4375-bb7a-d60889ade8a4\"},\"panelIndex\":\"a5029f8a-476b-4375-bb7a-d60889ade8a4\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"metrics\",\"params\":{\"time_range_mode\":\"entire_time_range\",\"id\":\"92d62e85-e917-436d-b8d3-f69df24ed02b\",\"type\":\"markdown\",\"series\":[{\"time_range_mode\":\"entire_time_range\",\"id\":\"5c94a663-8135-4c09-acdf-a8e828c62ef4\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"2f2e4338-bd68-4176-966b-1f6aae9574e6\",\"type\":\"top_hit\",\"field\":\"host.os.name\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osname\",\"var_name\":\"osname\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"f04dc8d0-4151-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"f04dc8d1-4151-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.architecture\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"hostarch\",\"var_name\":\"hostarch\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"07d09d20-4152-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"07d09d21-4152-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.kernel\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"hostkern\",\"var_name\":\"hostkern\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"24089510-4152-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"24089511-4152-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.version\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osver\",\"var_name\":\"osver\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"b292c170-4152-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"b292c171-4152-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.description\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osdesc\",\"var_name\":\"osdesc\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"d3de77c0-4152-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"d3de77c1-4152-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.edition\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osedition\",\"var_name\":\"osedition\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"230bf020-4153-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"230bf021-4153-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.organization\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osorg\",\"var_name\":\"osorg\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"3b35d9e0-4153-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"3b35d9e1-4153-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.platform\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osplatform\",\"var_name\":\"osplatform\"},{\"time_range_mode\":\"entire_time_range\",\"id\":\"82b7d200-4153-11ee-982a-2bb4f2d49090\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"metrics\":[{\"order\":\"desc\",\"agg_with\":\"concat\",\"id\":\"82b7d201-4153-11ee-982a-2bb4f2d49090\",\"type\":\"top_hit\",\"field\":\"host.os.build\"}],\"separate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"default\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"override_index_pattern\":0,\"series_drop_last_bucket\":0,\"label\":\"osbuild\",\"var_name\":\"osbuild\"}],\"time_field\":\"\",\"use_kibana_indexes\":true,\"interval\":\"\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"axis_scale\":\"normal\",\"show_legend\":1,\"truncate_legend\":1,\"max_lines_legend\":1,\"show_grid\":1,\"tooltip_mode\":\"show_all\",\"drop_last_bucket\":0,\"isModelInvalid\":false,\"markdown\":\"**Platform:** {{ osplatform.osplatform.last.formatted }} \\\\\\r\\n**Operating System:** {{ osname.osname.last.formatted }} \\\\\\r\\n**Architecture:** {{ hostarch.hostarch.last.formatted }} \\\\\\r\\n**Kernel:** {{ hostkern.hostkern.last.formatted }} \\\\\\r\\n**Version:** {{ osver.osver.last.formatted }} \\\\\\r\\n**Build:** {{ osbuild.osbuild.last.formatted }} \\\\\\r\\n**Description:** {{ osdesc.osdesc.last.formatted }} \\\\\\r\\n**Edition:** {{ osedition.osedition.last.formatted }} \\\\\\r\\n**Organization:** {{ osorg.osorg.last.formatted }}\",\"index_pattern_ref_name\":\"metrics_a5029f8a-476b-4375-bb7a-d60889ade8a4_0_index_pattern\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"OS Information\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":3,\"w\":17,\"h\":5,\"i\":\"8ecc8919-ac6e-4281-a356-05f552ccf10f\"},\"panelIndex\":\"8ecc8919-ac6e-4281-a356-05f552ccf10f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-f4ed5a42-075e-4684-a82d-9b69f3ff5212\"}],\"state\":{\"visualization\":{\"layerId\":\"f4ed5a42-075e-4684-a82d-9b69f3ff5212\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"5db71250-e4a6-4352-9841-60bda3bb3d61\",\"hidden\":true},{\"columnId\":\"5ed56c44-5133-41e1-a6b9-53625ce522d3\",\"isTransposed\":false},{\"columnId\":\"18ea8a72-e8df-47b2-ad13-56ae22d6e75e\",\"isTransposed\":false},{\"columnId\":\"6b659b27-bfc8-452e-b8f9-3893e43a24ab\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4ed5a42-075e-4684-a82d-9b69f3ff5212\":{\"columns\":{\"5db71250-e4a6-4352-9841-60bda3bb3d61\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"5ed56c44-5133-41e1-a6b9-53625ce522d3\":{\"label\":\"BIOS Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.bios.name\",\"isBucketed\":true,\"params\":{\"size\":2,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5db71250-e4a6-4352-9841-60bda3bb3d61\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"18ea8a72-e8df-47b2-ad13-56ae22d6e75e\":{\"label\":\"BIOS Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.bios.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5db71250-e4a6-4352-9841-60bda3bb3d61\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6b659b27-bfc8-452e-b8f9-3893e43a24ab\":{\"label\":\"BIOS Serialnumber\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.biossn\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5db71250-e4a6-4352-9841-60bda3bb3d61\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"5ed56c44-5133-41e1-a6b9-53625ce522d3\",\"18ea8a72-e8df-47b2-ad13-56ae22d6e75e\",\"6b659b27-bfc8-452e-b8f9-3893e43a24ab\",\"5db71250-e4a6-4352-9841-60bda3bb3d61\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Host BIOS Information\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":3,\"w\":25,\"h\":5,\"i\":\"fd21cc47-2ac3-4a88-8598-c458a47d1e90\"},\"panelIndex\":\"fd21cc47-2ac3-4a88-8598-c458a47d1e90\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-596cb7b8-af7b-40db-affa-e7591c0165be\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"703fc954-3aab-4cea-b5b5-ec2b68e311bb\"},{\"isTransposed\":false,\"columnId\":\"0f437a99-d536-4931-ae23-18509767b878\",\"hidden\":true},{\"columnId\":\"84fbf0d5-cd51-41c0-a7c7-6072fd807f0b\",\"isTransposed\":false},{\"columnId\":\"b9936688-2921-4cc7-b058-e0fc26c376ec\",\"isTransposed\":false},{\"columnId\":\"074126a4-578b-4f8d-85df-0a460025e011\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"596cb7b8-af7b-40db-affa-e7591c0165be\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"596cb7b8-af7b-40db-affa-e7591c0165be\":{\"columns\":{\"703fc954-3aab-4cea-b5b5-ec2b68e311bb\":{\"label\":\"System Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0f437a99-d536-4931-ae23-18509767b878\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0f437a99-d536-4931-ae23-18509767b878\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"84fbf0d5-cd51-41c0-a7c7-6072fd807f0b\":{\"label\":\"Owner\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.owner\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0f437a99-d536-4931-ae23-18509767b878\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b9936688-2921-4cc7-b058-e0fc26c376ec\":{\"label\":\"Serial Number\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.serial_number\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0f437a99-d536-4931-ae23-18509767b878\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"074126a4-578b-4f8d-85df-0a460025e011\":{\"label\":\"Domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0f437a99-d536-4931-ae23-18509767b878\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"703fc954-3aab-4cea-b5b5-ec2b68e311bb\",\"84fbf0d5-cd51-41c0-a7c7-6072fd807f0b\",\"b9936688-2921-4cc7-b058-e0fc26c376ec\",\"074126a4-578b-4f8d-85df-0a460025e011\",\"0f437a99-d536-4931-ae23-18509767b878\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Computer Info\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":8,\"w\":42,\"h\":5,\"i\":\"7412b1ca-0c47-4905-aa6a-474686887f76\"},\"panelIndex\":\"7412b1ca-0c47-4905-aa6a-474686887f76\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-21cf6cf3-6399-4b45-8e70-849aa6623d06\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"0f5c4a52-d271-4328-95b6-6c69453180bc\",\"width\":387.2857142857143},{\"isTransposed\":false,\"columnId\":\"52e60488-e5d3-40c2-80a0-07344374be6d\"},{\"columnId\":\"b718099c-427c-4132-95e5-660deafe078c\",\"isTransposed\":false},{\"columnId\":\"54346d91-c191-4452-a917-df1c036d9795\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":188.61904761904765},{\"columnId\":\"0d7c7fc3-2b87-4d1b-9032-2a962327b5b6\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":196.21904761904761},{\"columnId\":\"eba3a044-1b3b-4a95-85a1-b16eda075894\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":217.71904761904761},{\"columnId\":\"1d0ad394-868c-4a94-984b-20325b2e1304\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"18b6d48d-b1d6-4d14-8f46-f7132ab3ecff\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"fa120ad2-0f99-4d28-bc0d-e387ad82614b\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"21cf6cf3-6399-4b45-8e70-849aa6623d06\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"21cf6cf3-6399-4b45-8e70-849aa6623d06\":{\"columns\":{\"0f5c4a52-d271-4328-95b6-6c69453180bc\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"52e60488-e5d3-40c2-80a0-07344374be6d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"52e60488-e5d3-40c2-80a0-07344374be6d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"b718099c-427c-4132-95e5-660deafe078c\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"52e60488-e5d3-40c2-80a0-07344374be6d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"54346d91-c191-4452-a917-df1c036d9795\":{\"label\":\"Cores\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"host.cpu.number_of_cores\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"0d7c7fc3-2b87-4d1b-9032-2a962327b5b6\":{\"label\":\"Processors\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"host.cpu.number_of_logical_processors\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"eba3a044-1b3b-4a95-85a1-b16eda075894\":{\"label\":\"Speed GHZ\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"host.cpu.speed\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"1d0ad394-868c-4a94-984b-20325b2e1304\":{\"label\":\"Virtualization Enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.virtualization_firmware_enabled\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"52e60488-e5d3-40c2-80a0-07344374be6d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"18b6d48d-b1d6-4d14-8f46-f7132ab3ecff\":{\"label\":\"Family\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.family\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"52e60488-e5d3-40c2-80a0-07344374be6d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fa120ad2-0f99-4d28-bc0d-e387ad82614b\":{\"label\":\"Clock Speed\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"host.cpu.clockspeed\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true}},\"columnOrder\":[\"0f5c4a52-d271-4328-95b6-6c69453180bc\",\"b718099c-427c-4132-95e5-660deafe078c\",\"54346d91-c191-4452-a917-df1c036d9795\",\"0d7c7fc3-2b87-4d1b-9032-2a962327b5b6\",\"eba3a044-1b3b-4a95-85a1-b16eda075894\",\"fa120ad2-0f99-4d28-bc0d-e387ad82614b\",\"1d0ad394-868c-4a94-984b-20325b2e1304\",\"18b6d48d-b1d6-4d14-8f46-f7132ab3ecff\",\"52e60488-e5d3-40c2-80a0-07344374be6d\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"System CPU\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":6,\"h\":6,\"i\":\"88c54662-3d8e-4484-9bad-ab4d1aac4ffc\"},\"panelIndex\":\"88c54662-3d8e-4484-9bad-ab4d1aac4ffc\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-72f117b5-7ab9-41e7-a1f4-423f8b423707\"}],\"state\":{\"visualization\":{\"layerId\":\"72f117b5-7ab9-41e7-a1f4-423f8b423707\",\"accessor\":\"0e0ad3dc-89f4-471c-bf9c-55e1fa0cc457\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#CB4848\",\"stop\":4}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null},{\"color\":\"#CB4848\",\"stop\":1}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"72f117b5-7ab9-41e7-a1f4-423f8b423707\":{\"columns\":{\"0e0ad3dc-89f4-471c-bf9c-55e1fa0cc457\":{\"label\":\"Failing Vulnerabilities\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"0e0ad3dc-89f4-471c-bf9c-55e1fa0cc457\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"69270630-ea7e-41db-a897-69da6ff72cdf\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Vulnerabilities for this endpoint\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":13,\"w\":42,\"h\":7,\"i\":\"5ba071e0-cef6-4e8f-b34a-11b1cc806714\"},\"panelIndex\":\"5ba071e0-cef6-4e8f-b34a-11b1cc806714\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"e886429e-9532-4f44-bb36-6465fe760866\",\"name\":\"indexpattern-datasource-layer-56f3ea8a-a52d-462c-a5d6-2446d6826ad2\"}],\"state\":{\"visualization\":{\"layerId\":\"56f3ea8a-a52d-462c-a5d6-2446d6826ad2\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"359f23a5-abc4-4204-bbf3-16951a7c5d72\",\"alignment\":\"center\"},{\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"85ee823b-6334-4687-ab5f-43570c69996c\",\"isTransposed\":false},{\"columnId\":\"ab0584bf-ccba-47f9-8185-655880391447\",\"isTransposed\":false,\"width\":118.66666666666663,\"alignment\":\"center\"},{\"columnId\":\"99c6b2d5-c246-46a3-86dd-55d9e30491fd\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"f3863ce5-8d01-4f5e-a42b-137410f47c41\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"52fb95cb-0446-4db0-93d7-d79a7fea0344\",\"isTransposed\":false,\"alignment\":\"center\",\"width\":156.66666666666669},{\"columnId\":\"697b46cb-1d88-49da-9761-25a974891b4a\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"56f3ea8a-a52d-462c-a5d6-2446d6826ad2\":{\"columns\":{\"359f23a5-abc4-4204-bbf3-16951a7c5d72\":{\"label\":\"IP\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.ip\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"34e5c607-4963-4388-a2d1-5c925ff7ea54\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"85ee823b-6334-4687-ab5f-43570c69996c\":{\"label\":\"Alias\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.alias\",\"isBucketed\":true,\"params\":{\"size\":50,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ab0584bf-ccba-47f9-8185-655880391447\":{\"label\":\"DHCP\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.dhcp.enabled\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"99c6b2d5-c246-46a3-86dd-55d9e30491fd\":{\"label\":\"Gateway\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.gateway\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f3863ce5-8d01-4f5e-a42b-137410f47c41\":{\"label\":\"MAC Address\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.mac\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"52fb95cb-0446-4db0-93d7-d79a7fea0344\":{\"label\":\"Vitual\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.virtual\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"697b46cb-1d88-49da-9761-25a974891b4a\":{\"label\":\"Connected SSID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.adapter.wifi.ssid\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"85ee823b-6334-4687-ab5f-43570c69996c\",\"359f23a5-abc4-4204-bbf3-16951a7c5d72\",\"ab0584bf-ccba-47f9-8185-655880391447\",\"99c6b2d5-c246-46a3-86dd-55d9e30491fd\",\"f3863ce5-8d01-4f5e-a42b-137410f47c41\",\"52fb95cb-0446-4db0-93d7-d79a7fea0344\",\"697b46cb-1d88-49da-9761-25a974891b4a\",\"34e5c607-4963-4388-a2d1-5c925ff7ea54\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"601d0e2a-08ac-4442-bbfc-fdfb6ed68c0b\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Network Cards Details\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Network Adapters\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":6,\"h\":6,\"i\":\"d64e1165-e5d6-46d2-abb9-e4315e238f9e\"},\"panelIndex\":\"d64e1165-e5d6-46d2-abb9-e4315e238f9e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-72f117b5-7ab9-41e7-a1f4-423f8b423707\"}],\"state\":{\"visualization\":{\"layerId\":\"72f117b5-7ab9-41e7-a1f4-423f8b423707\",\"accessor\":\"42fcfbaf-a528-4d05-8486-2bbf3a01d173\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#cb4848\",\"stop\":64}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null},{\"color\":\"#cb4848\",\"stop\":1}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"72f117b5-7ab9-41e7-a1f4-423f8b423707\":{\"columns\":{\"42fcfbaf-a528-4d05-8486-2bbf3a01d173\":{\"label\":\"Failed High SCAP\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.id\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.result : \\\"fail\\\" and rule.severity : \\\"high\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"42fcfbaf-a528-4d05-8486-2bbf3a01d173\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"5726c30e-a24d-4b78-9d26-deb2771144bd\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Hosts Benchmark Data\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":20,\"w\":42,\"h\":7,\"i\":\"0a48a778-6cb1-44c3-89b8-76d6169e29a8\"},\"panelIndex\":\"0a48a778-6cb1-44c3-89b8-76d6169e29a8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"62456a9a-bd4c-4b57-b6b5-5556b6869ce5\",\"name\":\"indexpattern-datasource-layer-7fbad8bf-b2fd-44ee-b47b-5b2260b8498d\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"2e01df65-7787-4e15-86e3-a45eed285033\"},{\"isTransposed\":false,\"columnId\":\"d65a1a00-5ae8-443b-82bc-62dce81f7ac5\"},{\"columnId\":\"ed56a46c-f9da-4d58-b0f3-06e0ecc264ef\",\"isTransposed\":false},{\"columnId\":\"d5c5e6ac-d61c-4bf2-94de-62b85d9e945a\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"37ea1f0a-2f23-4435-9866-6d11677ca86b\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"7fbad8bf-b2fd-44ee-b47b-5b2260b8498d\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7fbad8bf-b2fd-44ee-b47b-5b2260b8498d\":{\"columns\":{\"2e01df65-7787-4e15-86e3-a45eed285033\":{\"label\":\"Percent Full\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.percent_full\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"d65a1a00-5ae8-443b-82bc-62dce81f7ac5\":{\"label\":\"Drive\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.drive.letter\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ed56a46c-f9da-4d58-b0f3-06e0ecc264ef\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"d5c5e6ac-d61c-4bf2-94de-62b85d9e945a\":{\"label\":\"Total Size\",\"dataType\":\"string\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ordinal\",\"sourceField\":\"volume.size\",\"filter\":{\"query\":\"volume.size: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"37ea1f0a-2f23-4435-9866-6d11677ca86b\":{\"label\":\"Freespace\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"volume.freespace\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"d65a1a00-5ae8-443b-82bc-62dce81f7ac5\",\"2e01df65-7787-4e15-86e3-a45eed285033\",\"ed56a46c-f9da-4d58-b0f3-06e0ecc264ef\",\"37ea1f0a-2f23-4435-9866-6d11677ca86b\",\"d5c5e6ac-d61c-4bf2-94de-62b85d9e945a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"97fe566e-2647-47dc-a6fb-ccbbc69f8985\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Volumes and Drives for this Endpoint\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Volumes \"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":6,\"h\":7,\"i\":\"9b009011-6f72-4379-a69b-21e6feedfce7\"},\"panelIndex\":\"9b009011-6f72-4379-a69b-21e6feedfce7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-4ac1c77b-306c-4a94-b080-f204193d6efd\"}],\"state\":{\"visualization\":{\"layerId\":\"4ac1c77b-306c-4a94-b080-f204193d6efd\",\"layerType\":\"data\",\"metricAccessor\":\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869\",\"maxAccessor\":\"00b8ad38-df28-49ec-a473-348fd0305876\",\"showBar\":true,\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":1},{\"color\":\"#d6bf57\",\"stop\":4},{\"color\":\"#cc5642\",\"stop\":14}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null},{\"color\":\"#d6bf57\",\"stop\":1},{\"color\":\"#cc5642\",\"stop\":4}],\"continuity\":\"all\",\"maxSteps\":5}},\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4ac1c77b-306c-4a94-b080-f204193d6efd\":{\"columns\":{\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X0\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.credentialguard.enabled : false \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X1\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.credentialguard.running: false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X2\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.virtualizationbasedsecurity.status:Off\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X3\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.basevirtualizationsupport.available : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X4\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.dmaprotection.available : false \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X5\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.secureboot.available:false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X6\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.hypervisorenforcedcodeint.enabled: false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X7\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.hypervisorenforcedcodeint.running: false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X8\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.securememoverwrite.available : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X9\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.smmsecuritymigrations.available : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X10\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.systemguardsecurelaunch.enabled : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X11\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.systemguardsecurelaunch.running : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X12\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.ueficodereadonly.available : false\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X13\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.deviceguard.usermodecodeintegrity.policyenforcement: \\\"Off\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X14\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.ufi.enabled: false \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X15\":{\"label\":\"Part of Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[{\"type\":\"function\",\"name\":\"add\",\"args\":[\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X0\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X1\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X2\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X3\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X4\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X5\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X6\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X7\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X8\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X9\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X10\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X11\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X12\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X13\"]},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X14\"],\"location\":{\"min\":0,\"max\":1030},\"text\":\"count(kql='event.deviceguard.credentialguard.enabled : false ')+\\r\\ncount(kql='event.deviceguard.credentialguard.running: false')+\\r\\ncount(kql='event.deviceguard.virtualizationbasedsecurity.status:Off')+\\r\\ncount(kql='event.deviceguard.basevirtualizationsupport.available : false')+\\r\\ncount(kql='event.deviceguard.dmaprotection.available : false ')+\\r\\ncount(kql='event.deviceguard.secureboot.available:false')+\\r\\ncount(kql='event.deviceguard.hypervisorenforcedcodeint.enabled: false')+\\r\\ncount(kql='event.deviceguard.hypervisorenforcedcodeint.running: false')+\\r\\ncount(kql='event.deviceguard.securememoverwrite.available : false')+\\r\\ncount(kql='event.deviceguard.smmsecuritymigrations.available : false')+\\r\\ncount(kql='event.deviceguard.systemguardsecurelaunch.enabled : false')+\\r\\ncount(kql='event.deviceguard.systemguardsecurelaunch.running : false')+\\r\\ncount(kql='event.deviceguard.ueficodereadonly.available : false')+\\r\\ncount(kql='event.deviceguard.usermodecodeintegrity.policyenforcement: \\\"Off\\\" ')+\\r\\ncount(kql='event.ufi.enabled: false ')\"}},\"references\":[\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X0\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X1\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X2\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X3\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X4\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X5\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X6\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X7\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X8\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X9\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X10\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X11\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X12\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X13\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X14\"],\"customLabel\":true},\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869\":{\"label\":\"Virtualization Security Features Disabled\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count(kql='event.deviceguard.credentialguard.enabled : false ')+\\r\\ncount(kql='event.deviceguard.credentialguard.running: false')+\\r\\ncount(kql='event.deviceguard.virtualizationbasedsecurity.status:Off')+\\r\\ncount(kql='event.deviceguard.basevirtualizationsupport.available : false')+\\r\\ncount(kql='event.deviceguard.dmaprotection.available : false ')+\\r\\ncount(kql='event.deviceguard.secureboot.available:false')+\\r\\ncount(kql='event.deviceguard.hypervisorenforcedcodeint.enabled: false')+\\r\\ncount(kql='event.deviceguard.hypervisorenforcedcodeint.running: false')+\\r\\ncount(kql='event.deviceguard.securememoverwrite.available : false')+\\r\\ncount(kql='event.deviceguard.smmsecuritymigrations.available : false')+\\r\\ncount(kql='event.deviceguard.systemguardsecurelaunch.enabled : false')+\\r\\ncount(kql='event.deviceguard.systemguardsecurelaunch.running : false')+\\r\\ncount(kql='event.deviceguard.ueficodereadonly.available : false')+\\r\\ncount(kql='event.deviceguard.usermodecodeintegrity.policyenforcement: \\\"Off\\\" ')+\\r\\ncount(kql='event.ufi.enabled: false ')\",\"isFormulaBroken\":false},\"references\":[\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X15\"],\"customLabel\":true},\"00b8ad38-df28-49ec-a473-348fd0305876\":{\"label\":\"Static value: 15\",\"dataType\":\"number\",\"operationType\":\"static_value\",\"isStaticValue\":true,\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"value\":\"15\"},\"references\":[]}},\"columnOrder\":[\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X0\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X1\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X2\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X3\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X4\",\"00b8ad38-df28-49ec-a473-348fd0305876\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X5\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X6\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X7\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X8\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X9\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X10\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X11\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X12\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X13\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X14\",\"2bcd5106-f375-4a03-bb55-a5b2ecfcd869X15\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"c3bbd434-5b28-4d1a-8013-b1553f622b22\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Protection Status for Endpoint\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":27,\"w\":42,\"h\":5,\"i\":\"58ca195d-92a8-4a9d-bd11-1954002c8693\"},\"panelIndex\":\"58ca195d-92a8-4a9d-bd11-1954002c8693\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-bae2bbb2-5c2c-406b-8deb-d02970643aa0\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"7652d41d-2e97-48fd-93e2-e824d0429eb7\",\"isTransposed\":false},{\"columnId\":\"6f018424-e6a2-4360-be1e-df25d68727f5\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"936ad955-bf89-4c25-908d-d8d4e1e71bb0\",\"isTransposed\":false},{\"columnId\":\"795022df-3834-4ba5-b1a4-b747e4da1e2a\",\"isTransposed\":false},{\"columnId\":\"c984f83e-d094-47ea-87d2-3dcd7154ae37\",\"isTransposed\":false}],\"layerId\":\"bae2bbb2-5c2c-406b-8deb-d02970643aa0\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bae2bbb2-5c2c-406b-8deb-d02970643aa0\":{\"columns\":{\"7652d41d-2e97-48fd-93e2-e824d0429eb7\":{\"label\":\"AntiVirus Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.security.antivirus.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f018424-e6a2-4360-be1e-df25d68727f5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6f018424-e6a2-4360-be1e-df25d68727f5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"936ad955-bf89-4c25-908d-d8d4e1e71bb0\":{\"label\":\"AV Exists\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.security.antivirus.exists\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f018424-e6a2-4360-be1e-df25d68727f5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"795022df-3834-4ba5-b1a4-b747e4da1e2a\":{\"label\":\"State\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.security.antivirus.state\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f018424-e6a2-4360-be1e-df25d68727f5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c984f83e-d094-47ea-87d2-3dcd7154ae37\":{\"label\":\"Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.security.antivirus.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f018424-e6a2-4360-be1e-df25d68727f5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"936ad955-bf89-4c25-908d-d8d4e1e71bb0\",\"7652d41d-2e97-48fd-93e2-e824d0429eb7\",\"795022df-3834-4ba5-b1a4-b747e4da1e2a\",\"c984f83e-d094-47ea-87d2-3dcd7154ae37\",\"6f018424-e6a2-4360-be1e-df25d68727f5\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"e7f01244-f435-4359-ab17-7faca8d78f98\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View Protection Status for Endpoint\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Antivirus Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":4,\"i\":\"5a0cbef6-cb66-4850-8dd1-4fc4f81ddaf2\"},\"panelIndex\":\"5a0cbef6-cb66-4850-8dd1-4fc4f81ddaf2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-ee0f709e-2211-41d5-afc0-086b3eb4d692\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"4bae6e8b-82e3-4e86-b8cc-017cd41c4cdc\",\"isTransposed\":false},{\"columnId\":\"6d563e2d-f0dd-40fc-b9c4-c003f69b6fd7\",\"isTransposed\":false},{\"columnId\":\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\",\"isTransposed\":false},{\"columnId\":\"41f62f4c-295f-424b-b44f-452ed3b0dcd0\",\"isTransposed\":false},{\"columnId\":\"f80b87d6-0e6b-4489-863b-0164f889b4e6\",\"isTransposed\":false,\"width\":695}],\"layerId\":\"ee0f709e-2211-41d5-afc0-086b3eb4d692\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ee0f709e-2211-41d5-afc0-086b3eb4d692\":{\"columns\":{\"4bae6e8b-82e3-4e86-b8cc-017cd41c4cdc\":{\"label\":\"TYCHON Agent Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"tychon.version.agent\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6d563e2d-f0dd-40fc-b9c4-c003f69b6fd7\":{\"label\":\"Content Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"tychon.version.content\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\":{\"label\":\"OVAL Def Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"tychon.definition.oval\",\"filter\":{\"query\":\"tychon.definition.oval: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"41f62f4c-295f-424b-b44f-452ed3b0dcd0\":{\"label\":\"SCAP Def Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"tychon.definition.stig\",\"filter\":{\"query\":\"tychon.definition.stig: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"f80b87d6-0e6b-4489-863b-0164f889b4e6\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"tychon.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"f80b87d6-0e6b-4489-863b-0164f889b4e6\",\"4bae6e8b-82e3-4e86-b8cc-017cd41c4cdc\",\"6d563e2d-f0dd-40fc-b9c4-c003f69b6fd7\",\"be8ac2ad-1ff9-4123-9ca6-ab95e7b1a50f\",\"41f62f4c-295f-424b-b44f-452ed3b0dcd0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"TYCHON Agentless Info\"},{\"version\":\"8.6.2\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"gridData\":{\"x\":0,\"y\":36,\"w\":48,\"h\":17,\"i\":\"649e620d-4cf9-4c17-978b-113e3df64c46\"},\"panelIndex\":\"649e620d-4cf9-4c17-978b-113e3df64c46\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Log stream\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Host Information", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-24T15:35:21.428Z", + "id": "tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "2d1446f2-6aee-4a7c-84e2-aeffa6c5cf9d:panel_2d1446f2-6aee-4a7c-84e2-aeffa6c5cf9d", + "type": "visualization" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "a5029f8a-476b-4375-bb7a-d60889ade8a4:metrics_a5029f8a-476b-4375-bb7a-d60889ade8a4_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "8ecc8919-ac6e-4281-a356-05f552ccf10f:indexpattern-datasource-layer-f4ed5a42-075e-4684-a82d-9b69f3ff5212", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "fd21cc47-2ac3-4a88-8598-c458a47d1e90:indexpattern-datasource-layer-596cb7b8-af7b-40db-affa-e7591c0165be", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "7412b1ca-0c47-4905-aa6a-474686887f76:indexpattern-datasource-layer-21cf6cf3-6399-4b45-8e70-849aa6623d06", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "88c54662-3d8e-4484-9bad-ab4d1aac4ffc:indexpattern-datasource-layer-72f117b5-7ab9-41e7-a1f4-423f8b423707", + "type": "index-pattern" + }, + { + "id": "tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve", + "name": "88c54662-3d8e-4484-9bad-ab4d1aac4ffc:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:69270630-ea7e-41db-a897-69da6ff72cdf:dashboardId", + "type": "dashboard" + }, + { + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "name": "5ba071e0-cef6-4e8f-b34a-11b1cc806714:indexpattern-datasource-layer-56f3ea8a-a52d-462c-a5d6-2446d6826ad2", + "type": "index-pattern" + }, + { + "id": "tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter", + "name": "5ba071e0-cef6-4e8f-b34a-11b1cc806714:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:601d0e2a-08ac-4442-bbfc-fdfb6ed68c0b:dashboardId", + "type": "dashboard" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "d64e1165-e5d6-46d2-abb9-e4315e238f9e:indexpattern-datasource-layer-72f117b5-7ab9-41e7-a1f4-423f8b423707", + "type": "index-pattern" + }, + { + "id": "tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig", + "name": "d64e1165-e5d6-46d2-abb9-e4315e238f9e:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:5726c30e-a24d-4b78-9d26-deb2771144bd:dashboardId", + "type": "dashboard" + }, + { + "id": "62456a9a-bd4c-4b57-b6b5-5556b6869ce5", + "name": "0a48a778-6cb1-44c3-89b8-76d6169e29a8:indexpattern-datasource-layer-7fbad8bf-b2fd-44ee-b47b-5b2260b8498d", + "type": "index-pattern" + }, + { + "id": "tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive", + "name": "0a48a778-6cb1-44c3-89b8-76d6169e29a8:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:97fe566e-2647-47dc-a6fb-ccbbc69f8985:dashboardId", + "type": "dashboard" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "9b009011-6f72-4379-a69b-21e6feedfce7:indexpattern-datasource-layer-4ac1c77b-306c-4a94-b080-f204193d6efd", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "9b009011-6f72-4379-a69b-21e6feedfce7:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:c3bbd434-5b28-4d1a-8013-b1553f622b22:dashboardId", + "type": "dashboard" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "58ca195d-92a8-4a9d-bd11-1954002c8693:indexpattern-datasource-layer-bae2bbb2-5c2c-406b-8deb-d02970643aa0", + "type": "index-pattern" + }, + { + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "name": "58ca195d-92a8-4a9d-bd11-1954002c8693:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:e7f01244-f435-4359-ab17-7faca8d78f98:dashboardId", + "type": "dashboard" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "5a0cbef6-cb66-4850-8dd1-4fc4f81ddaf2:indexpattern-datasource-layer-ee0f709e-2211-41d5-afc0-086b3eb4d692", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_374dee3b-0adb-43f7-87d4-a8b9c1c9c1c5:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-24T15:35:21.428Z", + "version": "WzgzMzgzMywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-75c383c0-e508-11ed-8a95-ab70156d4b18-cve.json b/packages/tychon/kibana/dashboard/tychon-75c383c0-e508-11ed-8a95-ab70156d4b18-cve.json new file mode 100644 index 00000000000..46af8bafe1f --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-75c383c0-e508-11ed-8a95-ab70156d4b18-cve.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "description": "TYCHON scans vulnerabilities on every endpoint, it has thousands of checks and leverages the OVAL standard to determine if a CVE applies to an endpoint. TYCHON updates scan results for failed vulnerabilities every hour and performs full vulnerability checks at every reboot of a computer. The results and findings are displayed in this dashboard.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":4,\"h\":5,\"i\":\"c727c528-622b-4fb7-857e-e3bcfe0751fd\"},\"panelIndex\":\"c727c528-622b-4fb7-857e-e3bcfe0751fd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-0682870a-1465-4a9d-be3e-c4863b7582ea\"}],\"state\":{\"visualization\":{\"layerId\":\"0682870a-1465-4a9d-be3e-c4863b7582ea\",\"accessor\":\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0682870a-1465-4a9d-be3e-c4863b7582ea\":{\"columns\":{\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\":{\"label\":\"Total Vulnerability Count\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":4,\"y\":0,\"w\":4,\"h\":5,\"i\":\"cab4478f-def6-426a-9c1d-b960cb9e03e9\"},\"panelIndex\":\"cab4478f-def6-426a-9c1d-b960cb9e03e9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-0682870a-1465-4a9d-be3e-c4863b7582ea\"}],\"state\":{\"visualization\":{\"layerId\":\"0682870a-1465-4a9d-be3e-c4863b7582ea\",\"accessor\":\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0682870a-1465-4a9d-be3e-c4863b7582ea\":{\"columns\":{\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\":{\"label\":\"Total Asset Count\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"e7d4cc9e-5f43-472d-959d-e0ba1333952b\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":13,\"i\":\"c34200e8-bd83-4a77-9b2f-dc4c87bc1ad9\"},\"panelIndex\":\"c34200e8-bd83-4a77-9b2f-dc4c87bc1ad9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5be62502-2bab-4d66-97ff-d9373963c50d\",\"name\":\"indexpattern-datasource-layer-017cbeff-136b-4bcd-a68f-1d9bb899aa4b\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"949c9440-9dd3-49e4-8476-8ff7d5b0e4b7\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e1ab1f7d-bcb4-4c68-b383-8662ed9a3adf\",\"isTransposed\":false}],\"layerId\":\"017cbeff-136b-4bcd-a68f-1d9bb899aa4b\",\"layerType\":\"data\"},\"query\":{\"query\":\"vulnerability.result : \\\"fail\\\" and vulnerability.due_date \u003e \\\"1970-01-01\\\" and vulnerability.due_date \u003c now\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"017cbeff-136b-4bcd-a68f-1d9bb899aa4b\":{\"columns\":{\"949c9440-9dd3-49e4-8476-8ff7d5b0e4b7\":{\"label\":\"CVE ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":true,\"params\":{\"size\":50,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e1ab1f7d-bcb4-4c68-b383-8662ed9a3adf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e1ab1f7d-bcb4-4c68-b383-8662ed9a3adf\":{\"label\":\"Due Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"vulnerability.due_date\",\"filter\":{\"query\":\"vulnerability.due_date: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"vulnerability.due_date\"},\"customLabel\":true}},\"columnOrder\":[\"949c9440-9dd3-49e4-8476-8ff7d5b0e4b7\",\"e1ab1f7d-bcb4-4c68-b383-8662ed9a3adf\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"TYCHON gives a \\\"due date\\\" for vulnerabilities when they meet certain criteria. It uses CISA reported date, then 18 days from an IAVA release, or 30 days from the release of a critical severity CVE.\",\"enhancements\":{}},\"title\":\"Vulnerabilities Failing Past Due\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":16,\"h\":13,\"i\":\"d4f17392-b10b-4343-82ea-a7e374333327\"},\"panelIndex\":\"d4f17392-b10b-4343-82ea-a7e374333327\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-2aca319d-8aef-4230-afa2-3fc928a03f8d\"},{\"type\":\"index-pattern\",\"name\":\"4e2f597d-d225-4927-8a8f-a9c968bd4a21\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"4be56e8d-3d14-4175-80c8-222f40fd9659\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\",\"isTransposed\":false,\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}},\"alignment\":\"center\",\"summaryRow\":\"sum\"},{\"columnId\":\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":20},{\"color\":\"#aed3ca\",\"stop\":40},{\"color\":\"#85bdb1\",\"stop\":60},{\"color\":\"#5aa898\",\"stop\":80},{\"color\":\"#209280\",\"stop\":100}]}},\"summaryRow\":\"sum\"},{\"columnId\":\"f55eae82-d6a8-4314-9eac-c4e5f68a521e\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}},\"summaryRow\":\"sum\"},{\"columnId\":\"2bf89fa2-fa5e-49d4-ae94-69caf1677afd\",\"isTransposed\":false}],\"layerId\":\"2aca319d-8aef-4230-afa2-3fc928a03f8d\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":true,\"alias\":null,\"index\":\"4e2f597d-d225-4927-8a8f-a9c968bd4a21\",\"key\":\"vulnerability.severity\",\"field\":\"vulnerability.severity\",\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"vulnerability.severity\":\"\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"2aca319d-8aef-4230-afa2-3fc928a03f8d\":{\"columns\":{\"4be56e8d-3d14-4175-80c8-222f40fd9659\":{\"label\":\"NVD Severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\":{\"label\":\"Total Passed\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"pass\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"f55eae82-d6a8-4314-9eac-c4e5f68a521e\":{\"label\":\"Total Score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"vulnerability.score.base\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2bf89fa2-fa5e-49d4-ae94-69caf1677afd\":{\"label\":\"Total Possible Score\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"vulnerability.score.base\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"4be56e8d-3d14-4175-80c8-222f40fd9659\",\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\",\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\",\"f55eae82-d6a8-4314-9eac-c4e5f68a521e\",\"2bf89fa2-fa5e-49d4-ae94-69caf1677afd\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"TYCHON uses NVD version 2 and 3 scores to evaluate risk scores for CVE vulnerabilities. \",\"enhancements\":{}},\"title\":\"NVD Severity Breakdown\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":9,\"i\":\"5cb629a9-cd1d-4c34-80d0-bd4f89f8c7a3\"},\"panelIndex\":\"5cb629a9-cd1d-4c34-80d0-bd4f89f8c7a3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-2aca319d-8aef-4230-afa2-3fc928a03f8d\"},{\"type\":\"index-pattern\",\"name\":\"f9b1376a-2b15-459b-83e8-808684076ee2\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"4be56e8d-3d14-4175-80c8-222f40fd9659\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\",\"isTransposed\":false,\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}},\"alignment\":\"center\",\"summaryRow\":\"sum\"},{\"columnId\":\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":20},{\"color\":\"#aed3ca\",\"stop\":40},{\"color\":\"#85bdb1\",\"stop\":60},{\"color\":\"#5aa898\",\"stop\":80},{\"color\":\"#209280\",\"stop\":100}]}},\"summaryRow\":\"sum\"}],\"layerId\":\"2aca319d-8aef-4230-afa2-3fc928a03f8d\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":true,\"alias\":null,\"index\":\"f9b1376a-2b15-459b-83e8-808684076ee2\",\"key\":\"vulnerability.iava_severity\",\"field\":\"vulnerability.iava_severity\",\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"vulnerability.iava_severity\":\"\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"2aca319d-8aef-4230-afa2-3fc928a03f8d\":{\"columns\":{\"4be56e8d-3d14-4175-80c8-222f40fd9659\":{\"label\":\"NVD Severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.iava_severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\":{\"label\":\"Total Passed\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"pass\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4be56e8d-3d14-4175-80c8-222f40fd9659\",\"98af4dc8-b5fd-49fe-979f-fdcd1b012600\",\"2c114e7a-fd2b-4a07-a4c1-9438782e8f5b\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"TYCHON aligns its vulnerabilities to DISA IAVA to help associate the risk with failing checks.\",\"enhancements\":{}},\"title\":\"IAVA Severity Breakdown \"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":40,\"y\":0,\"w\":8,\"h\":32,\"i\":\"9d7c1a54-bcc4-4ee3-9fb0-bcc83768d8bb\"},\"panelIndex\":\"9d7c1a54-bcc4-4ee3-9fb0-bcc83768d8bb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-10dc586e-9120-457f-bd25-337e235c0ede\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\",\"isTransposed\":false,\"oneClickFilter\":true,\"alignment\":\"center\"},{\"columnId\":\"b5204440-d65a-4c58-a048-242c2bc8c9da\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"negative\",\"params\":{\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}],\"name\":\"negative\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}}],\"layerId\":\"10dc586e-9120-457f-bd25-337e235c0ede\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"10dc586e-9120-457f-bd25-337e235c0ede\":{\"columns\":{\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\":{\"label\":\"Year\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.year\",\"isBucketed\":true,\"params\":{\"size\":30,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b5204440-d65a-4c58-a048-242c2bc8c9da\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b5204440-d65a-4c58-a048-242c2bc8c9da\":{\"label\":\"Total Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\":{\"label\":\"Failing Counts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\",\"b5204440-d65a-4c58-a048-242c2bc8c9da\",\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Counts By Year\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":4,\"h\":4,\"i\":\"43687602-22dc-4c1c-8eaa-b73bf8684e2b\"},\"panelIndex\":\"43687602-22dc-4c1c-8eaa-b73bf8684e2b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856\"}],\"state\":{\"visualization\":{\"layerId\":\"f8c69b31-1e26-48da-bfce-173a232da856\",\"layerType\":\"data\",\"metricAccessor\":\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"maxAccessor\":\"64227f18-dfeb-4263-acbd-a4bc6e800520\",\"showBar\":true,\"color\":\"#E7664C\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f8c69b31-1e26-48da-bfce-173a232da856\":{\"columns\":{\"70df2efb-db8e-43ab-bd8e-35efab122186\":{\"label\":\"Total Fails\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"64227f18-dfeb-4263-acbd-a4bc6e800520\":{\"label\":\"Total Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"64227f18-dfeb-4263-acbd-a4bc6e800520\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":4,\"y\":5,\"w\":4,\"h\":4,\"i\":\"8e5d38ea-9796-49e2-bbb7-02db91569c4b\"},\"panelIndex\":\"8e5d38ea-9796-49e2-bbb7-02db91569c4b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856\"}],\"state\":{\"visualization\":{\"layerId\":\"f8c69b31-1e26-48da-bfce-173a232da856\",\"layerType\":\"data\",\"metricAccessor\":\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"maxAccessor\":\"64227f18-dfeb-4263-acbd-a4bc6e800520\",\"showBar\":true,\"color\":\"#E7664C\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f8c69b31-1e26-48da-bfce-173a232da856\":{\"columns\":{\"70df2efb-db8e-43ab-bd8e-35efab122186\":{\"label\":\"Hosts Failing\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"64227f18-dfeb-4263-acbd-a4bc6e800520\":{\"label\":\"Unique count of tychon.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"64227f18-dfeb-4263-acbd-a4bc6e800520\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":9,\"w\":4,\"h\":4,\"i\":\"69a84b6a-5fd8-47b0-ac56-4b36579689c3\"},\"panelIndex\":\"69a84b6a-5fd8-47b0-ac56-4b36579689c3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856\"}],\"state\":{\"visualization\":{\"layerId\":\"f8c69b31-1e26-48da-bfce-173a232da856\",\"layerType\":\"data\",\"metricAccessor\":\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"maxAccessor\":\"64227f18-dfeb-4263-acbd-a4bc6e800520\",\"showBar\":true,\"color\":\"#54B399\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f8c69b31-1e26-48da-bfce-173a232da856\":{\"columns\":{\"70df2efb-db8e-43ab-bd8e-35efab122186\":{\"label\":\"Total Passed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"vulnerability.result : \\\"pass\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"64227f18-dfeb-4263-acbd-a4bc6e800520\":{\"label\":\"Total Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"64227f18-dfeb-4263-acbd-a4bc6e800520\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":4,\"y\":9,\"w\":4,\"h\":4,\"i\":\"e77342b9-6b1d-4c31-ae74-65550418decb\"},\"panelIndex\":\"e77342b9-6b1d-4c31-ae74-65550418decb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856\"}],\"state\":{\"visualization\":{\"layerId\":\"f8c69b31-1e26-48da-bfce-173a232da856\",\"layerType\":\"data\",\"metricAccessor\":\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"maxAccessor\":\"64227f18-dfeb-4263-acbd-a4bc6e800520\",\"showBar\":true,\"color\":\"#E7664C\",\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f8c69b31-1e26-48da-bfce-173a232da856\":{\"columns\":{\"70df2efb-db8e-43ab-bd8e-35efab122186\":{\"label\":\"Hosts Failing IAVA\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" and not vulnerability.iava : \\\"\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"64227f18-dfeb-4263-acbd-a4bc6e800520\":{\"label\":\"Unique count of tychon.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"70df2efb-db8e-43ab-bd8e-35efab122186\",\"64227f18-dfeb-4263-acbd-a4bc6e800520\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":9,\"w\":8,\"h\":23,\"i\":\"9d985147-542e-444e-95de-86b72e141def\"},\"panelIndex\":\"9d985147-542e-444e-95de-86b72e141def\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-10dc586e-9120-457f-bd25-337e235c0ede\"},{\"type\":\"index-pattern\",\"name\":\"8da78282-bb0e-4b32-b6c4-5b6fcb752b4d\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\",\"isTransposed\":false,\"oneClickFilter\":true,\"alignment\":\"center\"},{\"columnId\":\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"negative\",\"params\":{\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}],\"name\":\"negative\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}}],\"layerId\":\"10dc586e-9120-457f-bd25-337e235c0ede\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"8da78282-bb0e-4b32-b6c4-5b6fcb752b4d\",\"type\":\"phrase\",\"key\":\"vulnerability.iava\",\"params\":{\"query\":\"\"},\"disabled\":false,\"negate\":true,\"alias\":null},\"query\":{\"match_phrase\":{\"vulnerability.iava\":\"\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"10dc586e-9120-457f-bd25-337e235c0ede\":{\"columns\":{\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\":{\"label\":\"IAVA ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.iava\",\"isBucketed\":true,\"params\":{\"size\":30,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\":{\"label\":\"Failing Counts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"0bddfe81-b0e4-4eca-9e82-6f5072578ee7\",\"ff6c9cbe-26b9-4185-b86d-e41dbc60c1c6\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"DISA IAVA IDs and the total number of failures.\"},\"title\":\"IAVA IDs\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":13,\"h\":19,\"i\":\"fbd0fbab-9136-49c6-9b75-46bd3f8d987b\"},\"panelIndex\":\"fbd0fbab-9136-49c6-9b75-46bd3f8d987b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"78931842-dc88-45d7-a6ee-d79fb9f615bd\",\"name\":\"indexpattern-datasource-layer-2b0af3cf-2577-4225-b801-4dbc1c6d10c3\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"2209b20f-7ba7-4118-8ec1-1b860ce5c335\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"96b1c955-f220-47d9-a69f-a01099cd252f\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"negative\",\"params\":{\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}],\"name\":\"negative\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"235c5841-8650-4f0d-b15e-e3d9b27ceabc\",\"isTransposed\":false},{\"columnId\":\"41beb024-d85d-4652-a507-97071212c25f\",\"isTransposed\":false}],\"layerId\":\"2b0af3cf-2577-4225-b801-4dbc1c6d10c3\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"2b0af3cf-2577-4225-b801-4dbc1c6d10c3\":{\"columns\":{\"2209b20f-7ba7-4118-8ec1-1b860ce5c335\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"96b1c955-f220-47d9-a69f-a01099cd252f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"96b1c955-f220-47d9-a69f-a01099cd252f\":{\"label\":\"Total Failing\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":false,\"filter\":{\"query\":\"vulnerability.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"235c5841-8650-4f0d-b15e-e3d9b27ceabc\":{\"label\":\"IP\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"96b1c955-f220-47d9-a69f-a01099cd252f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"41beb024-d85d-4652-a507-97071212c25f\":{\"label\":\"MAC\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.mac\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"96b1c955-f220-47d9-a69f-a01099cd252f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"2209b20f-7ba7-4118-8ec1-1b860ce5c335\",\"235c5841-8650-4f0d-b15e-e3d9b27ceabc\",\"41beb024-d85d-4652-a507-97071212c25f\",\"96b1c955-f220-47d9-a69f-a01099cd252f\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"The Top 200 hosts that are reporting failed vulnerabilities, this is a total count of fails. \",\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"96e39190-5ea2-4199-993b-6e2657b8299b\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Navigate to Endpoint Browser\",\"config\":{\"useCurrentFilters\":false,\"useCurrentDateRange\":true,\"openInNewTab\":true}}}]}}},\"title\":\"Top 200 Failing Hosts\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":13,\"w\":19,\"h\":19,\"i\":\"1e383218-85c2-48c6-a653-25b2f0c0d869\"},\"panelIndex\":\"1e383218-85c2-48c6-a653-25b2f0c0d869\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5be62502-2bab-4d66-97ff-d9373963c50d\",\"name\":\"indexpattern-datasource-layer-21c4a9b8-f5ce-418b-9466-605c2742d8d9\"},{\"type\":\"index-pattern\",\"name\":\"d50ba03c-dcd0-469e-a4c2-1a02d99263d8\",\"id\":\"5be62502-2bab-4d66-97ff-d9373963c50d\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"area\",\"layers\":[{\"layerId\":\"21c4a9b8-f5ce-418b-9466-605c2742d8d9\",\"accessors\":[\"83ac325a-0162-45d4-b642-33f73351c8d2\"],\"position\":\"top\",\"seriesType\":\"area\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"132c8097-326e-4f5b-81fa-df708221c0ee\",\"splitAccessor\":\"b57de897-5bb8-42a6-8158-571e3fda028a\",\"palette\":{\"type\":\"palette\",\"name\":\"status\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"d50ba03c-dcd0-469e-a4c2-1a02d99263d8\",\"negate\":true,\"type\":\"phrase\",\"key\":\"vulnerability.result\",\"params\":{\"query\":\"unknown\"},\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"vulnerability.result\":\"unknown\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"21c4a9b8-f5ce-418b-9466-605c2742d8d9\":{\"columns\":{\"132c8097-326e-4f5b-81fa-df708221c0ee\":{\"label\":\"event.ingested\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.ingested\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"83ac325a-0162-45d4-b642-33f73351c8d2\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"b57de897-5bb8-42a6-8158-571e3fda028a\":{\"label\":\"Top 3 values of vulnerability.result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.result\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"83ac325a-0162-45d4-b642-33f73351c8d2\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"b57de897-5bb8-42a6-8158-571e3fda028a\",\"132c8097-326e-4f5b-81fa-df708221c0ee\",\"83ac325a-0162-45d4-b642-33f73351c8d2\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"A complete history of all vulnerabilities status over time.\",\"enhancements\":{}},\"title\":\"Vulnerability Results Historical Status\"},{\"version\":\"8.8.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"0cc0c389-dc34-4831-ba8e-6f651ee8a793\"},\"panelIndex\":\"0cc0c389-dc34-4831-ba8e-6f651ee8a793\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"5be62502-2bab-4d66-97ff-d9373963c50d\",\"name\":\"indexpattern-datasource-layer-c1cf2b61-d20b-40c8-8a05-678aaa9f2358\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"66252270-26d7-4524-9a63-1885224cb57e\",\"isTransposed\":false,\"alignment\":\"center\",\"summaryRow\":\"sum\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a6c1db\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#e3bd9d\",\"stop\":60},{\"color\":\"#da8b45\",\"stop\":80}],\"name\":\"complimentary\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"a8438ac2-fb97-4ac8-9f2c-2a0308725c01\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"ebec492d-2edd-46fd-95ee-ca6c191dc2ed\",\"isTransposed\":false},{\"columnId\":\"e0e551be-9366-40fb-80eb-942569b9fdb3\",\"isTransposed\":false,\"alignment\":\"center\",\"oneClickFilter\":true},{\"columnId\":\"1ca90a06-f5e5-46ca-9402-65517773efac\",\"isTransposed\":false},{\"columnId\":\"0bae816d-069c-4b6b-ac1f-220e5c3b3e3c\",\"isTransposed\":false},{\"columnId\":\"3b94ade7-e7f2-4c92-9450-ac63c31f2a59\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"7a438fd4-a307-4cc9-85f4-855203fccfc5\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"c1cf2b61-d20b-40c8-8a05-678aaa9f2358\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"66252270-26d7-4524-9a63-1885224cb57e\",\"direction\":\"desc\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c1cf2b61-d20b-40c8-8a05-678aaa9f2358\":{\"columns\":{\"66252270-26d7-4524-9a63-1885224cb57e\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.test_result : \\\"fail\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a8438ac2-fb97-4ac8-9f2c-2a0308725c01\":{\"label\":\"CVE ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.id\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"66252270-26d7-4524-9a63-1885224cb57e\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"accuracyMode\":false},\"customLabel\":true},\"ebec492d-2edd-46fd-95ee-ca6c191dc2ed\":{\"label\":\"Reference\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.reference\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e0e551be-9366-40fb-80eb-942569b9fdb3\":{\"label\":\"Severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1ca90a06-f5e5-46ca-9402-65517773efac\":{\"label\":\"NVD Score\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.score.base\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0bae816d-069c-4b6b-ac1f-220e5c3b3e3c\":{\"label\":\"TItle\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.title\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3b94ade7-e7f2-4c92-9450-ac63c31f2a59\":{\"label\":\"Due Date\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"vulnerability.due_date\",\"filter\":{\"query\":\"vulnerability.due_date: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"vulnerability.due_date\"},\"customLabel\":true},\"7a438fd4-a307-4cc9-85f4-855203fccfc5\":{\"label\":\"Due Date Reason\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"vulnerability.due_date_reason\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"66252270-26d7-4524-9a63-1885224cb57e\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"a8438ac2-fb97-4ac8-9f2c-2a0308725c01\",\"0bae816d-069c-4b6b-ac1f-220e5c3b3e3c\",\"e0e551be-9366-40fb-80eb-942569b9fdb3\",\"1ca90a06-f5e5-46ca-9402-65517773efac\",\"ebec492d-2edd-46fd-95ee-ca6c191dc2ed\",\"7a438fd4-a307-4cc9-85f4-855203fccfc5\",\"3b94ade7-e7f2-4c92-9450-ac63c31f2a59\",\"66252270-26d7-4524-9a63-1885224cb57e\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"description\":\"CVE IDs that have been reported by the TYCHON scan engine.\",\"enhancements\":{}},\"title\":\"CVE List\"}]", + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] - Vulnerability Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-31T18:48:53.917Z", + "id": "tychon-75c383c0-e508-11ed-8a95-ab70156d4b18-cve", + "managed": false, + "references": [ + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "c727c528-622b-4fb7-857e-e3bcfe0751fd:indexpattern-datasource-layer-0682870a-1465-4a9d-be3e-c4863b7582ea", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "cab4478f-def6-426a-9c1d-b960cb9e03e9:indexpattern-datasource-layer-0682870a-1465-4a9d-be3e-c4863b7582ea", + "type": "index-pattern" + }, + { + "id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "name": "c34200e8-bd83-4a77-9b2f-dc4c87bc1ad9:indexpattern-datasource-layer-017cbeff-136b-4bcd-a68f-1d9bb899aa4b", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "d4f17392-b10b-4343-82ea-a7e374333327:indexpattern-datasource-layer-2aca319d-8aef-4230-afa2-3fc928a03f8d", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "d4f17392-b10b-4343-82ea-a7e374333327:4e2f597d-d225-4927-8a8f-a9c968bd4a21", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "5cb629a9-cd1d-4c34-80d0-bd4f89f8c7a3:indexpattern-datasource-layer-2aca319d-8aef-4230-afa2-3fc928a03f8d", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "5cb629a9-cd1d-4c34-80d0-bd4f89f8c7a3:f9b1376a-2b15-459b-83e8-808684076ee2", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "9d7c1a54-bcc4-4ee3-9fb0-bcc83768d8bb:indexpattern-datasource-layer-10dc586e-9120-457f-bd25-337e235c0ede", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "43687602-22dc-4c1c-8eaa-b73bf8684e2b:indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "8e5d38ea-9796-49e2-bbb7-02db91569c4b:indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "69a84b6a-5fd8-47b0-ac56-4b36579689c3:indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "e77342b9-6b1d-4c31-ae74-65550418decb:indexpattern-datasource-layer-f8c69b31-1e26-48da-bfce-173a232da856", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "9d985147-542e-444e-95de-86b72e141def:indexpattern-datasource-layer-10dc586e-9120-457f-bd25-337e235c0ede", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "9d985147-542e-444e-95de-86b72e141def:8da78282-bb0e-4b32-b6c4-5b6fcb752b4d", + "type": "index-pattern" + }, + { + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "name": "fbd0fbab-9136-49c6-9b75-46bd3f8d987b:indexpattern-datasource-layer-2b0af3cf-2577-4225-b801-4dbc1c6d10c3", + "type": "index-pattern" + }, + { + "id": "tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve", + "name": "fbd0fbab-9136-49c6-9b75-46bd3f8d987b:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:96e39190-5ea2-4199-993b-6e2657b8299b:dashboardId", + "type": "dashboard" + }, + { + "id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "name": "1e383218-85c2-48c6-a653-25b2f0c0d869:indexpattern-datasource-layer-21c4a9b8-f5ce-418b-9466-605c2742d8d9", + "type": "index-pattern" + }, + { + "id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "name": "1e383218-85c2-48c6-a653-25b2f0c0d869:d50ba03c-dcd0-469e-a4c2-1a02d99263d8", + "type": "index-pattern" + }, + { + "id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "name": "0cc0c389-dc34-4831-ba8e-6f651ee8a793:indexpattern-datasource-layer-c1cf2b61-d20b-40c8-8a05-678aaa9f2358", + "type": "index-pattern" + }, + { + "id": "tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-9c222660-1100-11ee-af86-538da1394f27", + "name": "tag-ref-tychon-9c222660-1100-11ee-af86-538da1394f27", + "type": "tag" + } + ], + "type": "dashboard", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "updated_at": "2023-08-31T18:48:53.917Z", + "version": "WzQzODksNF0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-8082ac00-3d41-11ee-9610-15dee918f31a-harddrive.json b/packages/tychon/kibana/dashboard/tychon-8082ac00-3d41-11ee-9610-15dee918f31a-harddrive.json new file mode 100644 index 00000000000..1a7d118acd1 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-8082ac00-3d41-11ee-9610-15dee918f31a-harddrive.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "description": "TYCHON collects information about hard drives and volumes attached to computers.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":27,\"i\":\"b5ddabd8-3016-4232-b28b-06d714106a89\"},\"panelIndex\":\"b5ddabd8-3016-4232-b28b-06d714106a89\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-221c8cb0-1779-45ef-8d12-3923317e3366\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a526ec-1d67-4606-a5ff-fecbe1b12ee6\"},{\"isTransposed\":false,\"columnId\":\"aebe1da3-7bee-43ec-8a75-a8be55373d20\"},{\"isTransposed\":false,\"columnId\":\"040edfd5-86a3-4298-9068-e97f6828acc2\"},{\"isTransposed\":false,\"columnId\":\"317c7190-beca-4bee-80ad-791840ec4b41\"},{\"isTransposed\":false,\"columnId\":\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"}],\"layerId\":\"221c8cb0-1779-45ef-8d12-3923317e3366\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"221c8cb0-1779-45ef-8d12-3923317e3366\":{\"columns\":{\"72a526ec-1d67-4606-a5ff-fecbe1b12ee6\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.name\",\"isBucketed\":true,\"params\":{\"size\":10000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"aebe1da3-7bee-43ec-8a75-a8be55373d20\":{\"label\":\"Model\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.model\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"040edfd5-86a3-4298-9068-e97f6828acc2\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"317c7190-beca-4bee-80ad-791840ec4b41\":{\"label\":\"Partition Style\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.partition_style\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"72a526ec-1d67-4606-a5ff-fecbe1b12ee6\",\"aebe1da3-7bee-43ec-8a75-a8be55373d20\",\"040edfd5-86a3-4298-9068-e97f6828acc2\",\"317c7190-beca-4bee-80ad-791840ec4b41\",\"82052aa7-a5b0-4b79-9d2e-7f8ccc5808cf\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Physical Disks\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":28,\"y\":0,\"w\":13,\"h\":17,\"i\":\"6859fbab-c985-4bfe-9100-8c5e5326021d\"},\"panelIndex\":\"6859fbab-c985-4bfe-9100-8c5e5326021d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-002038df-af67-4b41-9b1c-06b855c4713e\"}],\"state\":{\"visualization\":{\"layerId\":\"002038df-af67-4b41-9b1c-06b855c4713e\",\"layerType\":\"data\",\"metricAccessor\":\"6090f9f1-96d7-4a5c-8828-00ff9ac2c3ba\",\"breakdownByAccessor\":\"9dffdf45-9da5-41d1-8c37-437e1d70306e\",\"maxCols\":2},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"002038df-af67-4b41-9b1c-06b855c4713e\":{\"columns\":{\"6090f9f1-96d7-4a5c-8828-00ff9ac2c3ba\":{\"label\":\"Avg Disk Size\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"disk.size\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dffdf45-9da5-41d1-8c37-437e1d70306e\":{\"label\":\"Top 10 values of host.hardware.manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hardware.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6090f9f1-96d7-4a5c-8828-00ff9ac2c3ba\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"9dffdf45-9da5-41d1-8c37-437e1d70306e\",\"6090f9f1-96d7-4a5c-8828-00ff9ac2c3ba\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Avg Disk Size by Manufacturer\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":41,\"y\":0,\"w\":7,\"h\":17,\"i\":\"cb0c8de2-4fd0-4911-9e61-adab9c11c090\"},\"panelIndex\":\"cb0c8de2-4fd0-4911-9e61-adab9c11c090\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-488a6893-9138-46f9-adbe-e8ce2c47e8bd\"}],\"state\":{\"visualization\":{\"layerId\":\"488a6893-9138-46f9-adbe-e8ce2c47e8bd\",\"layerType\":\"data\",\"metricAccessor\":\"6d005070-a8da-48b0-b946-da89fbabd90e\",\"breakdownByAccessor\":\"d990970c-7e22-4928-805b-18a6962b6799\",\"color\":\"#ededed\",\"maxCols\":1,\"collapseFn\":\"\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"488a6893-9138-46f9-adbe-e8ce2c47e8bd\":{\"columns\":{\"6d005070-a8da-48b0-b946-da89fbabd90e\":{\"label\":\"Avg Disk Size\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"disk.size\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"customLabel\":true},\"d990970c-7e22-4928-805b-18a6962b6799\":{\"label\":\"Operating System\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.platform\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6d005070-a8da-48b0-b946-da89fbabd90e\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"d990970c-7e22-4928-805b-18a6962b6799\",\"6d005070-a8da-48b0-b946-da89fbabd90e\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":28,\"y\":17,\"w\":5,\"h\":23,\"i\":\"db1eb37d-8675-44d1-891a-9a8a7c2e8ade\"},\"panelIndex\":\"db1eb37d-8675-44d1-891a-9a8a7c2e8ade\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-6d559375-a858-4fbb-a7cf-2f8fe9e1c7f3\"}],\"state\":{\"visualization\":{\"shape\":\"verticalBullet\",\"layerId\":\"6d559375-a858-4fbb-a7cf-2f8fe9e1c7f3\",\"layerType\":\"data\",\"ticksPosition\":\"bands\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"4f64099d-20b2-4d74-ba9e-05a9ff5c498e\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#94C5F4\",\"stop\":33.33},{\"color\":\"#7AABDA\",\"stop\":66.66},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#94C5F4\",\"stop\":null},{\"color\":\"#7AABDA\",\"stop\":33.33},{\"color\":\"#6092C0\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"colorMode\":\"palette\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6d559375-a858-4fbb-a7cf-2f8fe9e1c7f3\":{\"columns\":{\"4f64099d-20b2-4d74-ba9e-05a9ff5c498e\":{\"label\":\"System Disk\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"disk.system\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"4f64099d-20b2-4d74-ba9e-05a9ff5c498e\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":33,\"y\":17,\"w\":5,\"h\":23,\"i\":\"f85bb00e-3b05-48b5-a447-fb210ba95ff9\"},\"panelIndex\":\"f85bb00e-3b05-48b5-a447-fb210ba95ff9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-064d2f28-8ccf-4c45-a28e-5a5816cd7617\"}],\"state\":{\"visualization\":{\"layerId\":\"064d2f28-8ccf-4c45-a28e-5a5816cd7617\",\"layerType\":\"data\",\"shape\":\"verticalBullet\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#94C5F4\",\"stop\":33.33},{\"color\":\"#7AABDA\",\"stop\":66.66},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#94C5F4\",\"stop\":null},{\"color\":\"#7AABDA\",\"stop\":33.33},{\"color\":\"#6092C0\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"ticksPosition\":\"bands\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"986480e5-18b5-4695-85ce-5266db9d4f47\",\"colorMode\":\"palette\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"064d2f28-8ccf-4c45-a28e-5a5816cd7617\":{\"columns\":{\"986480e5-18b5-4695-85ce-5266db9d4f47\":{\"label\":\"Bootable Drive\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"disk.boot_from\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"986480e5-18b5-4695-85ce-5266db9d4f47\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":38,\"y\":17,\"w\":5,\"h\":23,\"i\":\"d401251f-ad81-4c51-9844-f7b09319b927\"},\"panelIndex\":\"d401251f-ad81-4c51-9844-f7b09319b927\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-e8b77360-a165-4a1b-8178-1269a1ddcce0\"}],\"state\":{\"visualization\":{\"layerId\":\"e8b77360-a165-4a1b-8178-1269a1ddcce0\",\"layerType\":\"data\",\"shape\":\"verticalBullet\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#94C5F4\",\"stop\":33.33},{\"color\":\"#7AABDA\",\"stop\":66.66},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#94C5F4\",\"stop\":null},{\"color\":\"#7AABDA\",\"stop\":33.33},{\"color\":\"#6092C0\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"ticksPosition\":\"bands\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"838e1571-1035-4b70-be49-400aec480639\",\"colorMode\":\"palette\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8b77360-a165-4a1b-8178-1269a1ddcce0\":{\"columns\":{\"838e1571-1035-4b70-be49-400aec480639\":{\"label\":\"Clustered\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"disk.clustered\",\"isBucketed\":false,\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}},\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"838e1571-1035-4b70-be49-400aec480639\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":43,\"y\":17,\"w\":5,\"h\":23,\"i\":\"3d2627b6-09a8-41ff-8e43-9deb9125cf9b\"},\"panelIndex\":\"3d2627b6-09a8-41ff-8e43-9deb9125cf9b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-9c59f356-6617-4fb4-8d1d-0a31def292f8\"}],\"state\":{\"visualization\":{\"layerId\":\"9c59f356-6617-4fb4-8d1d-0a31def292f8\",\"layerType\":\"data\",\"shape\":\"verticalBullet\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#94C5F4\",\"stop\":33},{\"color\":\"#7AABDA\",\"stop\":66.5},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#94C5F4\",\"stop\":null},{\"color\":\"#7AABDA\",\"stop\":33},{\"color\":\"#6092C0\",\"stop\":66.5}],\"continuity\":\"all\",\"maxSteps\":5}},\"ticksPosition\":\"bands\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"771f348e-4c25-4739-ab12-de837a5611fb\",\"colorMode\":\"palette\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9c59f356-6617-4fb4-8d1d-0a31def292f8\":{\"columns\":{\"771f348e-4c25-4739-ab12-de837a5611fb\":{\"label\":\"Highly Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"disk.highly_available\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"771f348e-4c25-4739-ab12-de837a5611fb\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":10,\"h\":13,\"i\":\"af88c038-d0f3-4189-acbc-4c61caca3bdb\"},\"panelIndex\":\"af88c038-d0f3-4189-acbc-4c61caca3bdb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-f62528d5-75c0-4261-a0e4-b78884ac618b\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"palette\":{\"type\":\"palette\",\"name\":\"status\"},\"layers\":[{\"layerId\":\"f62528d5-75c0-4261-a0e4-b78884ac618b\",\"primaryGroups\":[\"64a6a506-ad81-42bf-9fef-6df18bacd6c7\"],\"metrics\":[\"4a013b2a-4c57-4c45-afb7-8f5a70f2bb3d\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"hide\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f62528d5-75c0-4261-a0e4-b78884ac618b\":{\"columns\":{\"64a6a506-ad81-42bf-9fef-6df18bacd6c7\":{\"label\":\"Top 5 values of disk.health_status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.health_status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a013b2a-4c57-4c45-afb7-8f5a70f2bb3d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"4a013b2a-4c57-4c45-afb7-8f5a70f2bb3d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"64a6a506-ad81-42bf-9fef-6df18bacd6c7\",\"4a013b2a-4c57-4c45-afb7-8f5a70f2bb3d\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Overall drive health\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":27,\"w\":10,\"h\":13,\"i\":\"452aa111-8e0c-4403-9c94-3602ec607617\"},\"panelIndex\":\"452aa111-8e0c-4403-9c94-3602ec607617\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-b6a3c283-b27e-4ea5-a36d-ff799f06dc70\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"palette\":{\"type\":\"palette\",\"name\":\"status\"},\"layers\":[{\"layerId\":\"b6a3c283-b27e-4ea5-a36d-ff799f06dc70\",\"primaryGroups\":[\"94813be9-4122-4d2d-a449-f24cc8a62167\"],\"metrics\":[\"a3a8c58a-64ec-4424-a1dd-355a86f6f615\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"hide\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b6a3c283-b27e-4ea5-a36d-ff799f06dc70\":{\"columns\":{\"a3a8c58a-64ec-4424-a1dd-355a86f6f615\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"94813be9-4122-4d2d-a449-f24cc8a62167\":{\"label\":\"Top 2 values of disk.offline\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.offline\",\"isBucketed\":true,\"params\":{\"size\":2,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3a8c58a-64ec-4424-a1dd-355a86f6f615\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"94813be9-4122-4d2d-a449-f24cc8a62167\",\"a3a8c58a-64ec-4424-a1dd-355a86f6f615\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Disk Offline\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":20,\"y\":27,\"w\":8,\"h\":13,\"i\":\"56fbe10e-dff8-4436-8a42-588b38208cfc\"},\"panelIndex\":\"56fbe10e-dff8-4436-8a42-588b38208cfc\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"2dc584bc-c446-4150-b561-1415a45ebe87\",\"name\":\"indexpattern-datasource-layer-521e98b0-32d0-48f4-b3a8-1d5673af21ca\"}],\"state\":{\"visualization\":{\"layerId\":\"521e98b0-32d0-48f4-b3a8-1d5673af21ca\",\"layerType\":\"data\",\"breakdownByAccessor\":\"0dea645b-ae9c-4d11-8a3f-6823e94f2e6d\",\"metricAccessor\":\"c0892a53-0ed3-47c0-8dbc-03288c3acefa\",\"maxCols\":2,\"collapseFn\":\"\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"521e98b0-32d0-48f4-b3a8-1d5673af21ca\":{\"columns\":{\"0dea645b-ae9c-4d11-8a3f-6823e94f2e6d\":{\"label\":\"Top 2 values of disk.operational_status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"disk.operational_status\",\"isBucketed\":true,\"params\":{\"size\":2,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c0892a53-0ed3-47c0-8dbc-03288c3acefa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c0892a53-0ed3-47c0-8dbc-03288c3acefa\":{\"label\":\"Count of Disks\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"disk.serial_number\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0dea645b-ae9c-4d11-8a3f-6823e94f2e6d\",\"c0892a53-0ed3-47c0-8dbc-03288c3acefa\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Host Drives", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T19:54:38.220Z", + "id": "tychon-8082ac00-3d41-11ee-9610-15dee918f31a-harddrive", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "b5ddabd8-3016-4232-b28b-06d714106a89:indexpattern-datasource-layer-221c8cb0-1779-45ef-8d12-3923317e3366", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "6859fbab-c985-4bfe-9100-8c5e5326021d:indexpattern-datasource-layer-002038df-af67-4b41-9b1c-06b855c4713e", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "cb0c8de2-4fd0-4911-9e61-adab9c11c090:indexpattern-datasource-layer-488a6893-9138-46f9-adbe-e8ce2c47e8bd", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "db1eb37d-8675-44d1-891a-9a8a7c2e8ade:indexpattern-datasource-layer-6d559375-a858-4fbb-a7cf-2f8fe9e1c7f3", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "f85bb00e-3b05-48b5-a447-fb210ba95ff9:indexpattern-datasource-layer-064d2f28-8ccf-4c45-a28e-5a5816cd7617", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "d401251f-ad81-4c51-9844-f7b09319b927:indexpattern-datasource-layer-e8b77360-a165-4a1b-8178-1269a1ddcce0", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "3d2627b6-09a8-41ff-8e43-9deb9125cf9b:indexpattern-datasource-layer-9c59f356-6617-4fb4-8d1d-0a31def292f8", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "af88c038-d0f3-4189-acbc-4c61caca3bdb:indexpattern-datasource-layer-f62528d5-75c0-4261-a0e4-b78884ac618b", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "452aa111-8e0c-4403-9c94-3602ec607617:indexpattern-datasource-layer-b6a3c283-b27e-4ea5-a36d-ff799f06dc70", + "type": "index-pattern" + }, + { + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "name": "56fbe10e-dff8-4436-8a42-588b38208cfc:indexpattern-datasource-layer-521e98b0-32d0-48f4-b3a8-1d5673af21ca", + "type": "index-pattern" + }, + { + "id": "7f851220-3d41-11ee-9610-15dee918f31a", + "name": "tag-ref-7f851220-3d41-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T19:54:38.220Z", + "version": "WzgxODg4MiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-8c858ea0-3c74-11ee-8557-a7ea91123f8b-cpu.json b/packages/tychon/kibana/dashboard/tychon-8c858ea0-3c74-11ee-8557-a7ea91123f8b-cpu.json new file mode 100644 index 00000000000..b93e7292bf0 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-8c858ea0-3c74-11ee-8557-a7ea91123f8b-cpu.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"37c0c6aa-5a66-4423-8f05-c055e3679ed7\":{\"order\":0,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"host.hostname\",\"id\":\"37c0c6aa-5a66-4423-8f05-c055e3679ed7\",\"enhancements\":{}}}}" + }, + "description": "TYCHON collects the CPUs attached to an endpoint and records it as part of an endpoint's current state.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":6,\"h\":13,\"i\":\"d484eecf-9300-4edc-86ad-1d364f2cd912\"},\"panelIndex\":\"d484eecf-9300-4edc-86ad-1d364f2cd912\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-1c2d45ad-d83f-47e4-9ae4-c10df0f06b45\"}],\"state\":{\"visualization\":{\"layerId\":\"1c2d45ad-d83f-47e4-9ae4-c10df0f06b45\",\"accessor\":\"11e77fc2-d3fa-4e24-bc42-c85b39e12f0b\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"m\",\"colorMode\":\"None\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1c2d45ad-d83f-47e4-9ae4-c10df0f06b45\":{\"columns\":{\"11e77fc2-d3fa-4e24-bc42-c85b39e12f0b\":{\"label\":\"Reporting Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"11e77fc2-d3fa-4e24-bc42-c85b39e12f0b\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":0,\"w\":6,\"h\":13,\"i\":\"c546b60e-cb07-4096-a664-ddc9c3cfdf34\"},\"panelIndex\":\"c546b60e-cb07-4096-a664-ddc9c3cfdf34\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-1572e37a-4766-4cd7-9241-7bf6dd20f0d9\"}],\"state\":{\"visualization\":{\"layerId\":\"1572e37a-4766-4cd7-9241-7bf6dd20f0d9\",\"accessor\":\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1572e37a-4766-4cd7-9241-7bf6dd20f0d9\":{\"columns\":{\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\":{\"label\":\"Avg Clockspeed\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"host.cpu.clockspeed\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":0,\"w\":6,\"h\":13,\"i\":\"a6b31f35-2b50-4382-91ab-d4d444435cd5\"},\"panelIndex\":\"a6b31f35-2b50-4382-91ab-d4d444435cd5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-1572e37a-4766-4cd7-9241-7bf6dd20f0d9\"}],\"state\":{\"visualization\":{\"layerId\":\"1572e37a-4766-4cd7-9241-7bf6dd20f0d9\",\"accessor\":\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1572e37a-4766-4cd7-9241-7bf6dd20f0d9\":{\"columns\":{\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\":{\"label\":\"Avg CPU Speed\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"host.cpu.speed\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"6649c4f7-3f42-40eb-8b0e-763b91c56d8d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":6,\"h\":13,\"i\":\"1fd537c1-8c02-4381-8205-51082031f6e8\"},\"panelIndex\":\"1fd537c1-8c02-4381-8205-51082031f6e8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-cb07cf4d-d716-4baf-be01-16f87e981373\"},{\"type\":\"index-pattern\",\"name\":\"4e5bed99-c054-480f-97cb-e4add7cda1ec\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\"}],\"state\":{\"visualization\":{\"layerId\":\"cb07cf4d-d716-4baf-be01-16f87e981373\",\"accessor\":\"d5f83eee-7539-4f81-b82f-df6437e6c19b\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4e5bed99-c054-480f-97cb-e4add7cda1ec\",\"type\":\"exists\",\"key\":\"tychon.id\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"tychon.id\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"cb07cf4d-d716-4baf-be01-16f87e981373\":{\"columns\":{\"d5f83eee-7539-4f81-b82f-df6437e6c19b\":{\"label\":\"Virtualized Firmware Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"tychon.id\",\"isBucketed\":false,\"filter\":{\"query\":\"host.cpu.virtualization_firmware_enabled : true \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d5f83eee-7539-4f81-b82f-df6437e6c19b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Virtualization Firmware Enabled\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":13,\"i\":\"082ec4db-99e5-4bcb-a0bf-1b574d96e0ab\"},\"panelIndex\":\"082ec4db-99e5-4bcb-a0bf-1b574d96e0ab\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-31533f5b-1ffc-42a1-8f19-d84d8bbf6fc3\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"4ca765a0-4fd5-43c8-ba75-0dbad474e481\"},{\"isTransposed\":false,\"columnId\":\"42dd2ee2-bc93-420d-accf-98ce681d07e6\",\"hidden\":true,\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":20},{\"color\":\"#aed3ca\",\"stop\":40},{\"color\":\"#85bdb1\",\"stop\":60},{\"color\":\"#5aa898\",\"stop\":80},{\"color\":\"#209280\",\"stop\":100}]}},\"summaryRow\":\"avg\"},{\"columnId\":\"ca5a9861-c2f3-410a-be88-410a360f15a5\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"10a4327d-d156-471f-9695-32836a13f2c7\",\"isTransposed\":false,\"alignment\":\"center\",\"summaryRow\":\"avg\"}],\"layerId\":\"31533f5b-1ffc-42a1-8f19-d84d8bbf6fc3\",\"layerType\":\"data\",\"sorting\":{\"columnId\":\"10a4327d-d156-471f-9695-32836a13f2c7\",\"direction\":\"asc\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"31533f5b-1ffc-42a1-8f19-d84d8bbf6fc3\":{\"columns\":{\"4ca765a0-4fd5-43c8-ba75-0dbad474e481\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"42dd2ee2-bc93-420d-accf-98ce681d07e6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"42dd2ee2-bc93-420d-accf-98ce681d07e6\":{\"label\":\"CPU Speed\",\"dataType\":\"number\",\"operationType\":\"min\",\"sourceField\":\"host.cpu.speed\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"ca5a9861-c2f3-410a-be88-410a360f15a5\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"42dd2ee2-bc93-420d-accf-98ce681d07e6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"10a4327d-d156-471f-9695-32836a13f2c7\":{\"label\":\"CPU Speed\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.cpu.speed\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"4ca765a0-4fd5-43c8-ba75-0dbad474e481\",\"ca5a9861-c2f3-410a-be88-410a360f15a5\",\"10a4327d-d156-471f-9695-32836a13f2c7\",\"42dd2ee2-bc93-420d-accf-98ce681d07e6\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 100 Chipsets\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"c0e77f2e-4bb6-4ee2-af50-248b3cc98549\"},\"panelIndex\":\"c0e77f2e-4bb6-4ee2-af50-248b3cc98549\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-759ddcaa-7578-426f-9a74-24c6026ed05b\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"a76b7191-7ce1-41ce-8df5-868260fc46b6\"},{\"isTransposed\":false,\"columnId\":\"87934d9d-9e53-437e-a9db-b9c9cb30c95e\"},{\"isTransposed\":false,\"columnId\":\"7e900d75-20d0-43bf-8dea-bf4d594416af\"},{\"isTransposed\":false,\"columnId\":\"9a1d7d63-2ee6-4bc4-9ff5-1a35a12cbdd7\"},{\"isTransposed\":false,\"columnId\":\"724d8257-99b5-4149-9007-f97df1355eac\",\"hidden\":true},{\"isTransposed\":false,\"columnId\":\"d56fc6a7-9748-47c7-8379-a29823b578bb\"},{\"isTransposed\":false,\"columnId\":\"8cb19bc9-6ac6-42e1-a7b7-7abea80ac2b2\"},{\"isTransposed\":false,\"columnId\":\"00f91685-a38f-449d-94c3-5f2428aec1b4\"}],\"layerId\":\"759ddcaa-7578-426f-9a74-24c6026ed05b\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true},\"rowHeight\":\"auto\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"759ddcaa-7578-426f-9a74-24c6026ed05b\":{\"columns\":{\"a76b7191-7ce1-41ce-8df5-868260fc46b6\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":10000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"724d8257-99b5-4149-9007-f97df1355eac\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"87934d9d-9e53-437e-a9db-b9c9cb30c95e\":{\"label\":\"IP Address\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.ip\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"724d8257-99b5-4149-9007-f97df1355eac\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7e900d75-20d0-43bf-8dea-bf4d594416af\":{\"label\":\"Architecture\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.architecture\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"724d8257-99b5-4149-9007-f97df1355eac\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9a1d7d63-2ee6-4bc4-9ff5-1a35a12cbdd7\":{\"label\":\"MAC\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.mac\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"724d8257-99b5-4149-9007-f97df1355eac\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"724d8257-99b5-4149-9007-f97df1355eac\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"d56fc6a7-9748-47c7-8379-a29823b578bb\":{\"label\":\"# of Cores\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"host.cpu.number_of_cores\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"8cb19bc9-6ac6-42e1-a7b7-7abea80ac2b2\":{\"label\":\"Logical Processors\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"host.cpu.number_of_logical_processors\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"00f91685-a38f-449d-94c3-5f2428aec1b4\":{\"label\":\"CPU Speed\",\"dataType\":\"number\",\"operationType\":\"sum\",\"sourceField\":\"host.cpu.speed\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"a76b7191-7ce1-41ce-8df5-868260fc46b6\",\"87934d9d-9e53-437e-a9db-b9c9cb30c95e\",\"7e900d75-20d0-43bf-8dea-bf4d594416af\",\"9a1d7d63-2ee6-4bc4-9ff5-1a35a12cbdd7\",\"724d8257-99b5-4149-9007-f97df1355eac\",\"d56fc6a7-9748-47c7-8379-a29823b578bb\",\"8cb19bc9-6ac6-42e1-a7b7-7abea80ac2b2\",\"00f91685-a38f-449d-94c3-5f2428aec1b4\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"5c2fbf68-47f9-403f-a3a9-71b9b7c870ef\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View TYCHON Host Information\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}},\"hidePanelTitles\":false},\"title\":\"Host List\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":10,\"i\":\"86be9e95-687e-4826-b72c-3d2b4f574a85\"},\"panelIndex\":\"86be9e95-687e-4826-b72c-3d2b4f574a85\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a264bf8d-abc3-4789-9f4c-bf76397e06ba\",\"name\":\"indexpattern-datasource-layer-ca388af1-4820-4a41-b392-da6c505cfc19\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"ca388af1-4820-4a41-b392-da6c505cfc19\",\"accessors\":[\"4801ad21-f333-4454-968c-49415af0dc0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"37228917-276b-4623-b15e-f3426e2f4a0b\",\"yConfig\":[{\"forAccessor\":\"4801ad21-f333-4454-968c-49415af0dc0b\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca388af1-4820-4a41-b392-da6c505cfc19\":{\"columns\":{\"37228917-276b-4623-b15e-f3426e2f4a0b\":{\"label\":\"Report Events\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.ingested\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false},\"customLabel\":true},\"4801ad21-f333-4454-968c-49415af0dc0bX0\":{\"label\":\"Part of Reporting Hosts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"4801ad21-f333-4454-968c-49415af0dc0b\":{\"label\":\"Reporting Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"4801ad21-f333-4454-968c-49415af0dc0bX0\"],\"customLabel\":true}},\"columnOrder\":[\"37228917-276b-4623-b15e-f3426e2f4a0b\",\"4801ad21-f333-4454-968c-49415af0dc0b\",\"4801ad21-f333-4454-968c-49415af0dc0bX0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events Reported over Time\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Host CPUs", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:53:52.146Z", + "id": "tychon-8c858ea0-3c74-11ee-8557-a7ea91123f8b-cpu", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "d484eecf-9300-4edc-86ad-1d364f2cd912:indexpattern-datasource-layer-1c2d45ad-d83f-47e4-9ae4-c10df0f06b45", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "c546b60e-cb07-4096-a664-ddc9c3cfdf34:indexpattern-datasource-layer-1572e37a-4766-4cd7-9241-7bf6dd20f0d9", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "a6b31f35-2b50-4382-91ab-d4d444435cd5:indexpattern-datasource-layer-1572e37a-4766-4cd7-9241-7bf6dd20f0d9", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "1fd537c1-8c02-4381-8205-51082031f6e8:indexpattern-datasource-layer-cb07cf4d-d716-4baf-be01-16f87e981373", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "1fd537c1-8c02-4381-8205-51082031f6e8:4e5bed99-c054-480f-97cb-e4add7cda1ec", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "082ec4db-99e5-4bcb-a0bf-1b574d96e0ab:indexpattern-datasource-layer-31533f5b-1ffc-42a1-8f19-d84d8bbf6fc3", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "c0e77f2e-4bb6-4ee2-af50-248b3cc98549:indexpattern-datasource-layer-759ddcaa-7578-426f-9a74-24c6026ed05b", + "type": "index-pattern" + }, + { + "id": "tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host", + "name": "c0e77f2e-4bb6-4ee2-af50-248b3cc98549:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:5c2fbf68-47f9-403f-a3a9-71b9b7c870ef:dashboardId", + "type": "dashboard" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "86be9e95-687e-4826-b72c-3d2b4f574a85:indexpattern-datasource-layer-ca388af1-4820-4a41-b392-da6c505cfc19", + "type": "index-pattern" + }, + { + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "name": "controlGroup_37c0c6aa-5a66-4423-8f05-c055e3679ed7:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "b08ff050-41c5-11ee-83e4-c92ed141b9e5", + "name": "tag-ref-b08ff050-41c5-11ee-83e4-c92ed141b9e5", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:53:52.146Z", + "version": "WzgyMTY0NiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware.json b/packages/tychon/kibana/dashboard/tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware.json new file mode 100644 index 00000000000..e3bc9982610 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"2b9581fc-f55b-46f5-bf71-0cbfba5cc9ae\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"singleSelect\":true,\"hideExclude\":true,\"hideExists\":true,\"id\":\"2b9581fc-f55b-46f5-bf71-0cbfba5cc9ae\",\"enhancements\":{},\"selectedOptions\":[]}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Hardware Inventory view displays all hardware currently or previously attached to a computer.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"ae9194f3-7df8-415d-870c-3480f12e4971\"},\"panelIndex\":\"ae9194f3-7df8-415d-870c-3480f12e4971\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_ae9194f3-7df8-415d-870c-3480f12e4971\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":28,\"y\":3,\"w\":20,\"h\":14,\"i\":\"f065275d-50bf-4f95-a7a8-90d7bbaafacb\"},\"panelIndex\":\"f065275d-50bf-4f95-a7a8-90d7bbaafacb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-7c2eef60-6291-469e-976b-a5f2ed860552\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"7c2eef60-6291-469e-976b-a5f2ed860552\",\"accessors\":[\"431903e4-23c5-4170-b4b6-5b4c46d85fba\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"76354b85-6c58-49a1-a1f7-2f0d0fd30970\",\"yConfig\":[{\"forAccessor\":\"431903e4-23c5-4170-b4b6-5b4c46d85fba\",\"color\":\"#6092c0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7c2eef60-6291-469e-976b-a5f2ed860552\":{\"columns\":{\"76354b85-6c58-49a1-a1f7-2f0d0fd30970\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":15,\"orderBy\":{\"type\":\"column\",\"columnId\":\"431903e4-23c5-4170-b4b6-5b4c46d85fba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"431903e4-23c5-4170-b4b6-5b4c46d85fba\":{\"label\":\"Count of device.manufacturer\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"device.manufacturer\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"76354b85-6c58-49a1-a1f7-2f0d0fd30970\",\"431903e4-23c5-4170-b4b6-5b4c46d85fba\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 15 Device Manufacturers\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":3,\"w\":6,\"h\":14,\"i\":\"fe594ff8-c22c-40c4-9ab2-e9b2fea85847\"},\"panelIndex\":\"fe594ff8-c22c-40c4-9ab2-e9b2fea85847\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-6c93481d-09a6-47eb-857d-e98b13758ec8\"}],\"state\":{\"visualization\":{\"layerId\":\"6c93481d-09a6-47eb-857d-e98b13758ec8\",\"accessor\":\"8bf6ff37-6dc7-442a-bbd5-629562840b8c\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"size\":\"l\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6c93481d-09a6-47eb-857d-e98b13758ec8\":{\"columns\":{\"8bf6ff37-6dc7-442a-bbd5-629562840b8c\":{\"label\":\"Total Device Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"8bf6ff37-6dc7-442a-bbd5-629562840b8c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":3,\"w\":12,\"h\":7,\"i\":\"26f1102d-2afc-4e57-ac53-25d4cb848ed5\"},\"panelIndex\":\"26f1102d-2afc-4e57-ac53-25d4cb848ed5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-16326d6b-8de2-4f2f-945f-3d9a23538c43\"}],\"state\":{\"visualization\":{\"layerId\":\"16326d6b-8de2-4f2f-945f-3d9a23538c43\",\"layerType\":\"data\",\"metricAccessor\":\"3e10af95-976a-44c0-8a98-d7fade76dda6\",\"maxAccessor\":\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\",\"showBar\":true},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"16326d6b-8de2-4f2f-945f-3d9a23538c43\":{\"columns\":{\"3e10af95-976a-44c0-8a98-d7fade76dda6\":{\"label\":\"Total Present\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"device.present\",\"filter\":{\"query\":\"device.present : true\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"3e10af95-976a-44c0-8a98-d7fade76dda6\",\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":3,\"w\":10,\"h\":14,\"i\":\"0ef9aa2c-73b1-4b65-89cc-1c68441fe5b9\"},\"panelIndex\":\"0ef9aa2c-73b1-4b65-89cc-1c68441fe5b9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-82dd98f7-71b6-4e8f-84b2-a5bacc5afa97\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"82dd98f7-71b6-4e8f-84b2-a5bacc5afa97\",\"primaryGroups\":[\"bf8b9c18-8de4-41de-9651-3b2bf7787362\"],\"metrics\":[\"ba99dfe6-7e5f-45d3-a688-2bd52ef92c5f\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"82dd98f7-71b6-4e8f-84b2-a5bacc5afa97\":{\"columns\":{\"bf8b9c18-8de4-41de-9651-3b2bf7787362\":{\"label\":\"Device Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.class\",\"isBucketed\":true,\"params\":{\"size\":15,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ba99dfe6-7e5f-45d3-a688-2bd52ef92c5f\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[\"System\"],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ba99dfe6-7e5f-45d3-a688-2bd52ef92c5f\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"bf8b9c18-8de4-41de-9651-3b2bf7787362\",\"ba99dfe6-7e5f-45d3-a688-2bd52ef92c5f\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Device Type Breakdown\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":10,\"w\":12,\"h\":7,\"i\":\"ce341abb-5aea-4712-969d-9748b4de78af\"},\"panelIndex\":\"ce341abb-5aea-4712-969d-9748b4de78af\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-16326d6b-8de2-4f2f-945f-3d9a23538c43\"}],\"state\":{\"visualization\":{\"layerId\":\"16326d6b-8de2-4f2f-945f-3d9a23538c43\",\"layerType\":\"data\",\"metricAccessor\":\"3e10af95-976a-44c0-8a98-d7fade76dda6\",\"maxAccessor\":\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\",\"showBar\":true},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"16326d6b-8de2-4f2f-945f-3d9a23538c43\":{\"columns\":{\"3e10af95-976a-44c0-8a98-d7fade76dda6\":{\"label\":\"Total Missing\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"device.present\",\"filter\":{\"query\":\"device.present : false \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"3e10af95-976a-44c0-8a98-d7fade76dda6\",\"e1a9c4eb-e9e4-425a-abdd-7c0a829be528\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":17,\"w\":48,\"h\":36,\"i\":\"5ff3e63e-e71b-4b11-a07c-9c1315d604ce\"},\"panelIndex\":\"5ff3e63e-e71b-4b11-a07c-9c1315d604ce\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"a57870ef-07d8-4d12-a067-8c66eefd10ca\",\"name\":\"indexpattern-datasource-layer-4f761e14-aaf2-4318-ad8c-83d391b55ef3\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"83a1475f-1b10-4670-8a5c-d02639c31b16\",\"isTransposed\":false},{\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"5d04b4db-7c47-429b-baa4-dcde47c17256\",\"isTransposed\":false},{\"columnId\":\"206f4ddf-480c-4fa8-b76b-a277ee56c6d3\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"bd378ce9-b1e3-4ee9-ac61-dcac3c668582\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"b6aaa1bc-ba97-4a64-be3e-7b165d3c84b7\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"4f761e14-aaf2-4318-ad8c-83d391b55ef3\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4f761e14-aaf2-4318-ad8c-83d391b55ef3\":{\"columns\":{\"83a1475f-1b10-4670-8a5c-d02639c31b16\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.name\",\"isBucketed\":true,\"params\":{\"size\":250,\"orderBy\":{\"type\":\"column\",\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\":{\"label\":\"Last Reported\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"@timestamp\",\"filter\":{\"query\":\"@timestamp: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true},\"5d04b4db-7c47-429b-baa4-dcde47c17256\":{\"label\":\"Manufacturer\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.manufacturer\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"206f4ddf-480c-4fa8-b76b-a277ee56c6d3\":{\"label\":\"Present\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.present\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"bd378ce9-b1e3-4ee9-ac61-dcac3c668582\":{\"label\":\"Device Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.class\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b6aaa1bc-ba97-4a64-be3e-7b165d3c84b7\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"device.id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"83a1475f-1b10-4670-8a5c-d02639c31b16\",\"5d04b4db-7c47-429b-baa4-dcde47c17256\",\"206f4ddf-480c-4fa8-b76b-a277ee56c6d3\",\"bd378ce9-b1e3-4ee9-ac61-dcac3c668582\",\"b6aaa1bc-ba97-4a64-be3e-7b165d3c84b7\",\"807673da-bcf0-4a23-8fc6-e49efcfcd6d3\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Device List\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Hardware Inventory", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:47:46.348Z", + "id": "tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "ae9194f3-7df8-415d-870c-3480f12e4971:panel_ae9194f3-7df8-415d-870c-3480f12e4971", + "type": "visualization" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "f065275d-50bf-4f95-a7a8-90d7bbaafacb:indexpattern-datasource-layer-7c2eef60-6291-469e-976b-a5f2ed860552", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "fe594ff8-c22c-40c4-9ab2-e9b2fea85847:indexpattern-datasource-layer-6c93481d-09a6-47eb-857d-e98b13758ec8", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "26f1102d-2afc-4e57-ac53-25d4cb848ed5:indexpattern-datasource-layer-16326d6b-8de2-4f2f-945f-3d9a23538c43", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "0ef9aa2c-73b1-4b65-89cc-1c68441fe5b9:indexpattern-datasource-layer-82dd98f7-71b6-4e8f-84b2-a5bacc5afa97", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "ce341abb-5aea-4712-969d-9748b4de78af:indexpattern-datasource-layer-16326d6b-8de2-4f2f-945f-3d9a23538c43", + "type": "index-pattern" + }, + { + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "name": "5ff3e63e-e71b-4b11-a07c-9c1315d604ce:indexpattern-datasource-layer-4f761e14-aaf2-4318-ad8c-83d391b55ef3", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_2b9581fc-f55b-46f5-bf71-0cbfba5cc9ae:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "7b7ab4c0-3e02-11ee-9610-15dee918f31a", + "name": "tag-ref-7b7ab4c0-3e02-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:47:46.348Z", + "version": "WzgyMTE0NywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json b/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json new file mode 100644 index 00000000000..ac948619cd8 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"a9a1905e-d884-49b1-9f30-bae69dd0f668\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"id\":\"a9a1905e-d884-49b1-9f30-bae69dd0f668\",\"existsSelected\":false,\"hideExists\":true,\"hideExclude\":true,\"singleSelect\":true,\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Endpoint Protection view displays the status of your AV vendors and virtualization protection mechanisms, whether they are enabled, and if they are up to date.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"02c59767-547c-4cda-bba5-77ad8a00a068\"},\"panelIndex\":\"02c59767-547c-4cda-bba5-77ad8a00a068\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true},\"panelRefName\":\"panel_02c59767-547c-4cda-bba5-77ad8a00a068\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":9,\"h\":10,\"i\":\"cefa3c11-9742-4955-9569-40a38489d62a\"},\"panelIndex\":\"cefa3c11-9742-4955-9569-40a38489d62a\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Endpoint Protections\\nTYCHON monitors the endpoint for installed endpoint protection software. TYCHON integrates with EPP vendors to report the status of each specific vendor and its features to ensure all the proper protections are in place.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":3,\"w\":39,\"h\":5,\"i\":\"12e45058-431b-4504-a6ea-b37cdb08043d\"},\"panelIndex\":\"12e45058-431b-4504-a6ea-b37cdb08043d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-9aeae475-3f70-4b1f-8e37-3d09bb018588\"}],\"state\":{\"visualization\":{\"layerId\":\"9aeae475-3f70-4b1f-8e37-3d09bb018588\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"de290752-f19c-48d6-88b4-bbacb0a643ba\",\"alignment\":\"center\"},{\"columnId\":\"1a761e73-7d11-44ba-b41d-12792debe4cc\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"7f900bc4-4ed6-456b-9e5f-b77e10a1109c\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"6b4ec867-8b7e-4d41-8b61-5615715413eb\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9aeae475-3f70-4b1f-8e37-3d09bb018588\":{\"columns\":{\"de290752-f19c-48d6-88b4-bbacb0a643ba\":{\"label\":\"Elastic Defender Behavior Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.behavior_protection\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1a761e73-7d11-44ba-b41d-12792debe4cc\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1a761e73-7d11-44ba-b41d-12792debe4cc\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"7f900bc4-4ed6-456b-9e5f-b77e10a1109c\":{\"label\":\"Elastic Defender Anti-Malware\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.malware\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1a761e73-7d11-44ba-b41d-12792debe4cc\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6b4ec867-8b7e-4d41-8b61-5615715413eb\":{\"label\":\"Elastic Defender Memory Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.memory_protection\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"1a761e73-7d11-44ba-b41d-12792debe4cc\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"de290752-f19c-48d6-88b4-bbacb0a643ba\",\"7f900bc4-4ed6-456b-9e5f-b77e10a1109c\",\"6b4ec867-8b7e-4d41-8b61-5615715413eb\",\"1a761e73-7d11-44ba-b41d-12792debe4cc\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Elastic Defender Feature Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":8,\"w\":39,\"h\":5,\"i\":\"ea31c98b-3c46-4f95-a986-c4693b92b89e\"},\"panelIndex\":\"ea31c98b-3c46-4f95-a986-c4693b92b89e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-5387a34a-b7b2-4177-9083-335cf4e9a3bf\"}],\"state\":{\"visualization\":{\"layerId\":\"5387a34a-b7b2-4177-9083-335cf4e9a3bf\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"fdfec985-df5b-4716-b4b7-fc583b364c03\",\"alignment\":\"center\"},{\"columnId\":\"f6bca86d-5a9b-4e18-902b-a573c57e734f\",\"hidden\":true},{\"columnId\":\"3e2f3d28-d02f-4e67-954e-ca5dbf0f5cec\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"bfc72b21-55c2-4913-bcff-15362a0f8500\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"005add0c-a692-4d2d-9758-6beb27289076\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5387a34a-b7b2-4177-9083-335cf4e9a3bf\":{\"columns\":{\"fdfec985-df5b-4716-b4b7-fc583b364c03\":{\"label\":\"TPM Present\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.tpm.present\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f6bca86d-5a9b-4e18-902b-a573c57e734f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f6bca86d-5a9b-4e18-902b-a573c57e734f\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"3e2f3d28-d02f-4e67-954e-ca5dbf0f5cec\":{\"label\":\"TPM Digest\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.tpm.digest.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f6bca86d-5a9b-4e18-902b-a573c57e734f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"bfc72b21-55c2-4913-bcff-15362a0f8500\":{\"label\":\"TPM Compliant\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.tpm.compliant\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f6bca86d-5a9b-4e18-902b-a573c57e734f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"005add0c-a692-4d2d-9758-6beb27289076\":{\"label\":\"TPM Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.tpm.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f6bca86d-5a9b-4e18-902b-a573c57e734f\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"fdfec985-df5b-4716-b4b7-fc583b364c03\",\"3e2f3d28-d02f-4e67-954e-ca5dbf0f5cec\",\"bfc72b21-55c2-4913-bcff-15362a0f8500\",\"005add0c-a692-4d2d-9758-6beb27289076\",\"f6bca86d-5a9b-4e18-902b-a573c57e734f\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Trusted Platform Module Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":5,\"i\":\"21705463-1697-44dc-9a09-62df26148332\"},\"panelIndex\":\"21705463-1697-44dc-9a09-62df26148332\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-75c713fc-0fdd-431c-8bc6-ecfb247c176e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\",\"isTransposed\":false,\"colorMode\":\"none\",\"alignment\":\"center\",\"hidden\":true},{\"columnId\":\"d9295119-6956-41e0-8b42-ac2e47a370de\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"e4e1c126-d5c4-4037-84c4-8eaf12358e54\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"33408527-4b67-4ab8-985a-5f4b9bcb0618\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"f01de7cd-f7e8-462d-baa9-896b85f6c3eb\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"6956a5b0-f8ac-48c5-befe-9e3b671f2639\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"5133c9fb-f2af-4ded-ace4-bf47124e75e3\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"5560824c-b749-475f-8423-603ee0107b9e\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"75c713fc-0fdd-431c-8bc6-ecfb247c176e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"75c713fc-0fdd-431c-8bc6-ecfb247c176e\":{\"columns\":{\"dd967aec-5d3a-4e98-b8bb-1861bff07184\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"d9295119-6956-41e0-8b42-ac2e47a370de\":{\"label\":\"Elastic Agent Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.agent.version\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e4e1c126-d5c4-4037-84c4-8eaf12358e54\":{\"label\":\"Trellix ENS Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"33408527-4b67-4ab8-985a-5f4b9bcb0618\":{\"label\":\"Trellix PA Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.pa.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f01de7cd-f7e8-462d-baa9-896b85f6c3eb\":{\"label\":\"Trellix DLP Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.dlp.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6956a5b0-f8ac-48c5-befe-9e3b671f2639\":{\"label\":\"ACCM Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.accm.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5133c9fb-f2af-4ded-ace4-bf47124e75e3\":{\"label\":\"RSD Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.rsd.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5560824c-b749-475f-8423-603ee0107b9e\":{\"label\":\"Elastic Endpoint Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"d9295119-6956-41e0-8b42-ac2e47a370de\",\"5560824c-b749-475f-8423-603ee0107b9e\",\"e4e1c126-d5c4-4037-84c4-8eaf12358e54\",\"33408527-4b67-4ab8-985a-5f4b9bcb0618\",\"f01de7cd-f7e8-462d-baa9-896b85f6c3eb\",\"5133c9fb-f2af-4ded-ace4-bf47124e75e3\",\"6956a5b0-f8ac-48c5-befe-9e3b671f2639\",\"dd967aec-5d3a-4e98-b8bb-1861bff07184\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Third-Party Protection Software Versions\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":5,\"i\":\"a8c6851c-3730-4c20-b9e0-43af84a176d0\"},\"panelIndex\":\"a8c6851c-3730-4c20-b9e0-43af84a176d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-04332c65-6c71-4235-8823-49823d7deda5\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"512f9032-b127-4739-b5bf-3eb959638ff5\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"f4d3274b-0ee5-442f-8eeb-b41e5fa7f953\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"91e23a0c-ed3b-4ad7-bc5e-53f4c6fab562\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"cf12a36e-89b5-4367-b35f-9afb91f70d09\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"c05bb470-b273-4a26-bf5d-a81b3c58767f\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"76f77c25-4df6-4e7a-94ec-a88f4e9c8677\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"0ac16482-70d8-47af-9017-43495072b88a\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"04332c65-6c71-4235-8823-49823d7deda5\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"04332c65-6c71-4235-8823-49823d7deda5\":{\"columns\":{\"dbfeb47c-32b6-474c-8677-dae820f07b2d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"512f9032-b127-4739-b5bf-3eb959638ff5\":{\"label\":\"Elastic Agent Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.agent.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f4d3274b-0ee5-442f-8eeb-b41e5fa7f953\":{\"label\":\"Elastic Endpoint Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"elastic.service.endpoint.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"91e23a0c-ed3b-4ad7-bc5e-53f4c6fab562\":{\"label\":\"Trellix ENS Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"cf12a36e-89b5-4367-b35f-9afb91f70d09\":{\"label\":\"Trellix DLP Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.dlp.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c05bb470-b273-4a26-bf5d-a81b3c58767f\":{\"label\":\"Trellix PA Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.pa.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"76f77c25-4df6-4e7a-94ec-a88f4e9c8677\":{\"label\":\"Trellix RSD Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.rsd.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ac16482-70d8-47af-9017-43495072b88a\":{\"label\":\"ACCM Status\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.accm.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"512f9032-b127-4739-b5bf-3eb959638ff5\",\"f4d3274b-0ee5-442f-8eeb-b41e5fa7f953\",\"91e23a0c-ed3b-4ad7-bc5e-53f4c6fab562\",\"c05bb470-b273-4a26-bf5d-a81b3c58767f\",\"cf12a36e-89b5-4367-b35f-9afb91f70d09\",\"76f77c25-4df6-4e7a-94ec-a88f4e9c8677\",\"0ac16482-70d8-47af-9017-43495072b88a\",\"dbfeb47c-32b6-474c-8677-dae820f07b2d\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Third-Party Protection Software Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":5,\"i\":\"52a76f9f-e799-4d4a-b9e4-eae7014038e4\"},\"panelIndex\":\"52a76f9f-e799-4d4a-b9e4-eae7014038e4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-ef2f26c8-3d23-4b27-b103-3f0ad7394111\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"29924658-9aa3-42ea-bd98-79e173958e42\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"33c42b63-ee69-433c-95af-9d7d01e4f845\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"a052e49e-e5ef-4c10-97df-d5c3f372f8ac\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"221eaf8f-2283-4ee5-b4b7-8b3236f6d621\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"d88f0d3a-2942-49fc-bd63-a971fa819412\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"06750c7f-0d30-41c5-a4b7-cb1d59756b91\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"ef2f26c8-3d23-4b27-b103-3f0ad7394111\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ef2f26c8-3d23-4b27-b103-3f0ad7394111\":{\"columns\":{\"eb149617-f610-4378-ba74-d639147b5601\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"29924658-9aa3-42ea-bd98-79e173958e42\":{\"label\":\"Windows Defender Anti-Malware\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antimalware.status\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"33c42b63-ee69-433c-95af-9d7d01e4f845\":{\"label\":\"Windows Defender Anti-Spyware\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antispyware.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a052e49e-e5ef-4c10-97df-d5c3f372f8ac\":{\"label\":\"Windows Defender Anti-Virus \",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antivirus.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"221eaf8f-2283-4ee5-b4b7-8b3236f6d621\":{\"label\":\"Windows Defender Real-Time Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.real_time_protection.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"d88f0d3a-2942-49fc-bd63-a971fa819412\":{\"label\":\"Windows Defender NIS\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.nis.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"06750c7f-0d30-41c5-a4b7-cb1d59756b91\":{\"label\":\"Windows Defender On-Access Protection\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.on_access_protection.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"eb149617-f610-4378-ba74-d639147b5601\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"29924658-9aa3-42ea-bd98-79e173958e42\",\"33c42b63-ee69-433c-95af-9d7d01e4f845\",\"a052e49e-e5ef-4c10-97df-d5c3f372f8ac\",\"221eaf8f-2283-4ee5-b4b7-8b3236f6d621\",\"d88f0d3a-2942-49fc-bd63-a971fa819412\",\"06750c7f-0d30-41c5-a4b7-cb1d59756b91\",\"eb149617-f610-4378-ba74-d639147b5601\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Windows Defender Feature Status\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":5,\"i\":\"8ad0f3f2-f823-482a-94f5-438a5f4e63ad\"},\"panelIndex\":\"8ad0f3f2-f823-482a-94f5-438a5f4e63ad\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"6c3bf5e0-0feb-4113-a417-ac5e69cd6e00\",\"name\":\"indexpattern-datasource-layer-6cde8617-3e7c-4778-a329-d928e36d7275\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"beb6fb15-943b-4309-90f7-f4dce874a09b\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f99c5f5c-ed39-4708-a69a-8cb9dafd18c0\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"7c6804a4-01e8-4d63-abeb-403c9080dfa2\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"f6f3cda8-645f-4d93-9b56-259ea57e96ba\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"c4d70098-785e-4a47-814e-9e380659c08a\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"6cde8617-3e7c-4778-a329-d928e36d7275\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6cde8617-3e7c-4778-a329-d928e36d7275\":{\"columns\":{\"beb6fb15-943b-4309-90f7-f4dce874a09b\":{\"label\":\"Windows Defender Anti-Malware\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antimalware.signature_version\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"2ecb665e-6607-46bb-b133-227e2a1f86e5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f99c5f5c-ed39-4708-a69a-8cb9dafd18c0\":{\"label\":\"Windows Defender Anit-Spyware\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antispyware.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7c6804a4-01e8-4d63-abeb-403c9080dfa2\":{\"label\":\"Windows Defender AV\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.antivirus.full_scan.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f6f3cda8-645f-4d93-9b56-259ea57e96ba\":{\"label\":\"Windows Defender NIS\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"windows_defender.service.nis.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c4d70098-785e-4a47-814e-9e380659c08a\":{\"label\":\"Trellix ENS\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"trellix.service.ens.signature_version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"c4d70098-785e-4a47-814e-9e380659c08a\",\"beb6fb15-943b-4309-90f7-f4dce874a09b\",\"f99c5f5c-ed39-4708-a69a-8cb9dafd18c0\",\"7c6804a4-01e8-4d63-abeb-403c9080dfa2\",\"f6f3cda8-645f-4d93-9b56-259ea57e96ba\",\"2ecb665e-6607-46bb-b133-227e2a1f86e5\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endpoint Protection Signature Versions\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":33,\"w\":48,\"h\":5,\"i\":\"165a86cb-4d74-46e5-b01a-c8aa699bb62d\"},\"panelIndex\":\"165a86cb-4d74-46e5-b01a-c8aa699bb62d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-2c3e9bfb-f184-4fcc-8cf0-289375d17465\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"407f21d2-19c4-4989-af6d-6d1874ed4adb\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"dfcfe55f-7ed2-414e-a58c-5ce22504f040\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"485d3df1-2842-46fa-8709-b9e1c226c7fa\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"e4001a32-8acc-4546-ad61-096ef4ada2da\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"20655296-06de-4a2f-8c5c-d3f11575f76b\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"93d9fdc5-1776-4120-b653-35f6ade218ff\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"6d17a739-c24f-47da-8215-5f85d7fab0eb\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"5aaf01cb-a91c-4863-b03b-7df01d5b0139\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"2c3e9bfb-f184-4fcc-8cf0-289375d17465\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"2c3e9bfb-f184-4fcc-8cf0-289375d17465\":{\"columns\":{\"407f21d2-19c4-4989-af6d-6d1874ed4adb\":{\"label\":\"Credential Guard Enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.credentialguard.enabled\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b16cb63b-c175-474d-92c1-8a4259f824a6\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"dfcfe55f-7ed2-414e-a58c-5ce22504f040\":{\"label\":\"Credential Guard Running\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.credentialguard.running\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"485d3df1-2842-46fa-8709-b9e1c226c7fa\":{\"label\":\"Device Guard Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e4001a32-8acc-4546-ad61-096ef4ada2da\":{\"label\":\"Secure Boot Available\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.secureboot.available\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"20655296-06de-4a2f-8c5c-d3f11575f76b\":{\"label\":\"Usermode Integrity Policy Enforcement\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.usermodecodeintegrity.policyenforcement\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"93d9fdc5-1776-4120-b653-35f6ade218ff\":{\"label\":\"Virtualization Based Security\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.virtualizationbasedsecurity.status\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6d17a739-c24f-47da-8215-5f85d7fab0eb\":{\"label\":\"Secure Launch Enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.systemguardsecurelaunch.enabled\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5aaf01cb-a91c-4863-b03b-7df01d5b0139\":{\"label\":\"UFI Enabled\",\"dataType\":\"boolean\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.ufi.enabled\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b16cb63b-c175-474d-92c1-8a4259f824a6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"407f21d2-19c4-4989-af6d-6d1874ed4adb\",\"dfcfe55f-7ed2-414e-a58c-5ce22504f040\",\"485d3df1-2842-46fa-8709-b9e1c226c7fa\",\"e4001a32-8acc-4546-ad61-096ef4ada2da\",\"20655296-06de-4a2f-8c5c-d3f11575f76b\",\"93d9fdc5-1776-4120-b653-35f6ade218ff\",\"6d17a739-c24f-47da-8215-5f85d7fab0eb\",\"5aaf01cb-a91c-4863-b03b-7df01d5b0139\",\"b16cb63b-c175-474d-92c1-8a4259f824a6\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Windows Security Settings\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Endpoint Protection", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:53:06.434Z", + "id": "tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "02c59767-547c-4cda-bba5-77ad8a00a068:panel_02c59767-547c-4cda-bba5-77ad8a00a068", + "type": "visualization" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "12e45058-431b-4504-a6ea-b37cdb08043d:indexpattern-datasource-layer-9aeae475-3f70-4b1f-8e37-3d09bb018588", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "ea31c98b-3c46-4f95-a986-c4693b92b89e:indexpattern-datasource-layer-5387a34a-b7b2-4177-9083-335cf4e9a3bf", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "21705463-1697-44dc-9a09-62df26148332:indexpattern-datasource-layer-75c713fc-0fdd-431c-8bc6-ecfb247c176e", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "a8c6851c-3730-4c20-b9e0-43af84a176d0:indexpattern-datasource-layer-04332c65-6c71-4235-8823-49823d7deda5", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "52a76f9f-e799-4d4a-b9e4-eae7014038e4:indexpattern-datasource-layer-ef2f26c8-3d23-4b27-b103-3f0ad7394111", + "type": "index-pattern" + }, + { + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "name": "8ad0f3f2-f823-482a-94f5-438a5f4e63ad:indexpattern-datasource-layer-6cde8617-3e7c-4778-a329-d928e36d7275", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "165a86cb-4d74-46e5-b01a-c8aa699bb62d:indexpattern-datasource-layer-2c3e9bfb-f184-4fcc-8cf0-289375d17465", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_a9a1905e-d884-49b1-9f30-bae69dd0f668:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "bae88930-1133-11ee-af86-538da1394f27", + "name": "tag-ref-bae88930-1133-11ee-af86-538da1394f27", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:53:06.434Z", + "version": "WzgyMTYxNywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-cb312af0-3d4c-11ee-9610-15dee918f31a-arp.json b/packages/tychon/kibana/dashboard/tychon-cb312af0-3d4c-11ee-9610-15dee918f31a-arp.json new file mode 100644 index 00000000000..6c4798875b6 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-cb312af0-3d4c-11ee-9610-15dee918f31a-arp.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "description": "TYCHON captures ARP tables from endpoints. It tracks new ARP table entries and updates previously captured ones. Historical tracking is for previously found ARP lookups that are no longer seen.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":5,\"h\":17,\"i\":\"590b900e-fdb0-4f3f-8b3f-27fcaa636c0c\"},\"panelIndex\":\"590b900e-fdb0-4f3f-8b3f-27fcaa636c0c\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"## ARP Tables\\n\\n**Overview** \\\\\\nTYCHON collects ARP tables every 30 minutes from endpoints and returns results to Elasticsearch. TYCHON assigns each ARP connection a unique identifier and updates previously captured ARP data. When TYCHON recognizes the same data, it updates the information. However, if TYCHON stops reporting an ARP entry, it is not removed. Therefore, this data is both the current ARP table and a historical view of ARP entries.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":5,\"y\":0,\"w\":13,\"h\":52,\"i\":\"ce775759-5615-4c75-9ef3-2a0330abbf25\"},\"panelIndex\":\"ce775759-5615-4c75-9ef3-2a0330abbf25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-afc52d89-e35c-44fa-9d4f-3edd6b5dd245\"}],\"state\":{\"visualization\":{\"layerId\":\"afc52d89-e35c-44fa-9d4f-3edd6b5dd245\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"648d98c9-1dfe-4a03-92dd-95529f0c34d4\",\"oneClickFilter\":true},{\"columnId\":\"07fe3a38-3801-46d4-a87b-f6c09df2cb56\",\"alignment\":\"right\",\"isTransposed\":false},{\"columnId\":\"8d87ad64-7076-47a7-ad7a-0b4ccf48b95e\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"7ca8b3cd-e25c-47f2-a92e-51bc61e138b5\",\"isTransposed\":false,\"alignment\":\"center\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"afc52d89-e35c-44fa-9d4f-3edd6b5dd245\":{\"columns\":{\"648d98c9-1dfe-4a03-92dd-95529f0c34d4\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"07fe3a38-3801-46d4-a87b-f6c09df2cb56\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"07fe3a38-3801-46d4-a87b-f6c09df2cb56\":{\"label\":\"Number of ARP Records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"destination.mac\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"8d87ad64-7076-47a7-ad7a-0b4ccf48b95e\":{\"label\":\"Unique IPs\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"destination.ip\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"7ca8b3cd-e25c-47f2-a92e-51bc61e138b5\":{\"label\":\"Unique MACs\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"destination.mac\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"648d98c9-1dfe-4a03-92dd-95529f0c34d4\",\"8d87ad64-7076-47a7-ad7a-0b4ccf48b95e\",\"7ca8b3cd-e25c-47f2-a92e-51bc61e138b5\",\"07fe3a38-3801-46d4-a87b-f6c09df2cb56\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"e9dae9b3-8ad2-444c-97e2-fdaa1f8a3a34\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View TYCHON Host Connection Details\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true,\"openInNewTab\":false}}}]}}},\"title\":\"Endpoint List\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":6,\"h\":52,\"i\":\"a718b065-8aa4-4122-8209-9e8166809166\"},\"panelIndex\":\"a718b065-8aa4-4122-8209-9e8166809166\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-75e99f33-af21-4c5b-bf43-27e613d19f1e\"}],\"state\":{\"visualization\":{\"layerId\":\"75e99f33-af21-4c5b-bf43-27e613d19f1e\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"76ad0139-f4ce-47f6-8d1a-e3c6c545de46\"},{\"columnId\":\"3d56cfc4-b5ca-4f33-99e7-26bea3bb0781\",\"isTransposed\":false,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"75e99f33-af21-4c5b-bf43-27e613d19f1e\":{\"columns\":{\"76ad0139-f4ce-47f6-8d1a-e3c6c545de46\":{\"label\":\"Network Interface\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.interface\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3d56cfc4-b5ca-4f33-99e7-26bea3bb0781\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"3d56cfc4-b5ca-4f33-99e7-26bea3bb0781\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"76ad0139-f4ce-47f6-8d1a-e3c6c545de46\",\"3d56cfc4-b5ca-4f33-99e7-26bea3bb0781\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Interfaces\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":52,\"i\":\"cdc2012f-9e23-4d08-b87d-df42e57ba04f\"},\"panelIndex\":\"cdc2012f-9e23-4d08-b87d-df42e57ba04f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-939ae107-5b48-47e3-a385-121998a30d18\"}],\"state\":{\"visualization\":{\"layerId\":\"939ae107-5b48-47e3-a385-121998a30d18\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"629fcd61-a24e-4c3f-9756-8e1ab90bca37\",\"oneClickFilter\":true},{\"columnId\":\"e5341642-c7db-4c93-b27d-47844eeb8ee6\",\"isTransposed\":false},{\"columnId\":\"1e935b13-21c4-4c7c-bbdd-6cd440f9c198\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"ab8a2ee6-37ba-424c-8e09-f59a80cdc5c2\",\"isTransposed\":false},{\"columnId\":\"432028bb-1cb7-44a8-8446-0f3f023112c4\",\"isTransposed\":false,\"alignment\":\"right\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"939ae107-5b48-47e3-a385-121998a30d18\":{\"columns\":{\"629fcd61-a24e-4c3f-9756-8e1ab90bca37\":{\"label\":\"IP Address\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e5341642-c7db-4c93-b27d-47844eeb8ee6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e5341642-c7db-4c93-b27d-47844eeb8ee6\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"1e935b13-21c4-4c7c-bbdd-6cd440f9c198\":{\"label\":\"MAC Address\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.mac\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e5341642-c7db-4c93-b27d-47844eeb8ee6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ab8a2ee6-37ba-424c-8e09-f59a80cdc5c2\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e5341642-c7db-4c93-b27d-47844eeb8ee6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"432028bb-1cb7-44a8-8446-0f3f023112c4\":{\"label\":\"Last Seen\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"@timestamp\",\"filter\":{\"query\":\"@timestamp: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true}},\"columnOrder\":[\"629fcd61-a24e-4c3f-9756-8e1ab90bca37\",\"1e935b13-21c4-4c7c-bbdd-6cd440f9c198\",\"ab8a2ee6-37ba-424c-8e09-f59a80cdc5c2\",\"432028bb-1cb7-44a8-8446-0f3f023112c4\",\"e5341642-c7db-4c93-b27d-47844eeb8ee6\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"452d1f2a-645c-4b66-85da-ad52242236bf\",\"triggers\":[\"VALUE_CLICK_TRIGGER\"],\"action\":{\"factoryId\":\"URL_DRILLDOWN\",\"name\":\"Search Google\",\"config\":{\"url\":{\"template\":\"https://google.com/search?q={{event.value}}\"},\"openInNewTab\":true,\"encodeUrl\":true}}},{\"eventId\":\"70b722a9-59f3-4b68-8341-0cda9ef41b28\",\"triggers\":[\"VALUE_CLICK_TRIGGER\"],\"action\":{\"factoryId\":\"URL_DRILLDOWN\",\"name\":\"Lookup MAC Address\",\"config\":{\"url\":{\"template\":\"https://maclookup.app/search/result?mac={{event.value}}\"},\"openInNewTab\":true,\"encodeUrl\":true}}}]}}},\"title\":\"ARP Table\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":17,\"w\":5,\"h\":12,\"i\":\"4a40f01c-b8af-4bb3-832b-de481355be2f\"},\"panelIndex\":\"4a40f01c-b8af-4bb3-832b-de481355be2f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-8199203d-fd63-4a05-9df6-38bfa2c6eb74\"},{\"type\":\"index-pattern\",\"name\":\"eec5b6be-b56e-44ea-b6df-dc957dd00778\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\"}],\"state\":{\"visualization\":{\"layerId\":\"8199203d-fd63-4a05-9df6-38bfa2c6eb74\",\"accessor\":\"e016cc96-3489-4383-a9c1-865a5ba8f0dd\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"eec5b6be-b56e-44ea-b6df-dc957dd00778\",\"type\":\"exists\",\"key\":\"destination.mac\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"destination.mac\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"8199203d-fd63-4a05-9df6-38bfa2c6eb74\":{\"columns\":{\"e016cc96-3489-4383-a9c1-865a5ba8f0dd\":{\"label\":\"Unique MAC Addresses\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"destination.mac\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e016cc96-3489-4383-a9c1-865a5ba8f0dd\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":5,\"h\":12,\"i\":\"4139858c-c579-479b-aad7-90883296a136\"},\"panelIndex\":\"4139858c-c579-479b-aad7-90883296a136\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"8532a0b4-2a02-4dfa-b6aa-aabe01125b61\",\"name\":\"indexpattern-datasource-layer-25e8d64c-1846-4743-950d-89d0fb6f1113\"}],\"state\":{\"visualization\":{\"layerId\":\"25e8d64c-1846-4743-950d-89d0fb6f1113\",\"accessor\":\"976f2848-673c-414f-bc8d-fb5f861fc48e\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xl\",\"titlePosition\":\"bottom\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"25e8d64c-1846-4743-950d-89d0fb6f1113\":{\"columns\":{\"976f2848-673c-414f-bc8d-fb5f861fc48e\":{\"label\":\"Unique IP Addresses\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"destination.ip\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"976f2848-673c-414f-bc8d-fb5f861fc48e\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] ARP Tables", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:35:07.156Z", + "id": "tychon-cb312af0-3d4c-11ee-9610-15dee918f31a-arp", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "ce775759-5615-4c75-9ef3-2a0330abbf25:indexpattern-datasource-layer-afc52d89-e35c-44fa-9d4f-3edd6b5dd245", + "type": "index-pattern" + }, + { + "id": "tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice", + "name": "ce775759-5615-4c75-9ef3-2a0330abbf25:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:e9dae9b3-8ad2-444c-97e2-fdaa1f8a3a34:dashboardId", + "type": "dashboard" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "a718b065-8aa4-4122-8209-9e8166809166:indexpattern-datasource-layer-75e99f33-af21-4c5b-bf43-27e613d19f1e", + "type": "index-pattern" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "cdc2012f-9e23-4d08-b87d-df42e57ba04f:indexpattern-datasource-layer-939ae107-5b48-47e3-a385-121998a30d18", + "type": "index-pattern" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "4a40f01c-b8af-4bb3-832b-de481355be2f:indexpattern-datasource-layer-8199203d-fd63-4a05-9df6-38bfa2c6eb74", + "type": "index-pattern" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "4a40f01c-b8af-4bb3-832b-de481355be2f:eec5b6be-b56e-44ea-b6df-dc957dd00778", + "type": "index-pattern" + }, + { + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "name": "4139858c-c579-479b-aad7-90883296a136:indexpattern-datasource-layer-25e8d64c-1846-4743-950d-89d0fb6f1113", + "type": "index-pattern" + }, + { + "id": "c957d710-3d4c-11ee-9610-15dee918f31a", + "name": "tag-ref-c957d710-3d4c-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:35:07.156Z", + "version": "WzgxOTc4MiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig.json b/packages/tychon/kibana/dashboard/tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig.json new file mode 100644 index 00000000000..1b13360f411 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"accc2a18-0c16-4d33-b8df-09233a36a580\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"hideExists\":true,\"hideExclude\":true,\"singleSelect\":true,\"id\":\"accc2a18-0c16-4d33-b8df-09233a36a580\",\"enhancements\":{}}}}" + }, + "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser - Benchmark Results view displays all Benchmark SCAP scan results for the OS and Software installed.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"8f6fafd2-91a2-424b-a877-284568fd3f98\"},\"panelIndex\":\"8f6fafd2-91a2-424b-a877-284568fd3f98\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_8f6fafd2-91a2-424b-a877-284568fd3f98\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":9,\"h\":6,\"i\":\"363067aa-6ee2-41c7-b95d-0e61e6c28537\"},\"panelIndex\":\"363067aa-6ee2-41c7-b95d-0e61e6c28537\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"6fff9691-3ddd-4388-8285-de60ad5d992f\",\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\",\"params\":{\"name\":\"status\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":0,\"rangeMax\":100,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":33.33},{\"color\":\"#d6bf57\",\"stop\":66.66},{\"color\":\"#cc5642\",\"stop\":100}],\"steps\":3,\"colorStops\":[],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"maxAccessor\":\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\",\"showBar\":true,\"progressDirection\":\"horizontal\",\"subtitle\":\"Failed tests to all tests.\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6fff9691-3ddd-4388-8285-de60ad5d992f\":{\"columns\":{\"71671d69-d31c-4a61-9ee3-68bacec8d16f\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result: \\\"fail\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"rule.result: \\\"fail\\\" or rule.result: \\\"pass\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":3,\"w\":39,\"h\":16,\"i\":\"6eda45c7-cb35-4f4a-8d66-4206ded45c8c\"},\"panelIndex\":\"6eda45c7-cb35-4f4a-8d66-4206ded45c8c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-3a5ee27d-64e5-4145-91f5-5805379b4f2f\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"37f5da22-553d-4f51-8e0a-25ba01358872\"},{\"isTransposed\":false,\"columnId\":\"a648975d-7369-4b4b-bf40-70dabb3571c0\",\"alignment\":\"center\"},{\"isTransposed\":false,\"columnId\":\"8991452e-70b0-4dee-a3bb-f840b70af1fe\",\"alignment\":\"center\"},{\"columnId\":\"38dd2eaa-ba46-473b-9ecf-d55a40ef9ed3\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}},{\"columnId\":\"43067dd3-665f-4543-b21e-3b5f4cc96c97\",\"isTransposed\":false,\"alignment\":\"center\",\"colorMode\":\"cell\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\",\"params\":{\"stops\":[{\"color\":\"#6092c0\",\"stop\":0},{\"color\":\"#a8bfda\",\"stop\":20},{\"color\":\"#ebeff5\",\"stop\":40},{\"color\":\"#ecb385\",\"stop\":60},{\"color\":\"#e7664c\",\"stop\":80}],\"name\":\"temperature\",\"continuity\":\"above\",\"reverse\":false,\"rangeMin\":0,\"rangeMax\":null}}}],\"layerId\":\"3a5ee27d-64e5-4145-91f5-5805379b4f2f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3a5ee27d-64e5-4145-91f5-5805379b4f2f\":{\"columns\":{\"37f5da22-553d-4f51-8e0a-25ba01358872\":{\"label\":\"Benchmark Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"benchmark.name\",\"isBucketed\":true,\"params\":{\"size\":15,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8991452e-70b0-4dee-a3bb-f840b70af1fe\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a648975d-7369-4b4b-bf40-70dabb3571c0\":{\"label\":\"Version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"benchmark.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8991452e-70b0-4dee-a3bb-f840b70af1fe\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"8991452e-70b0-4dee-a3bb-f840b70af1fe\":{\"label\":\"Total Checks\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"38dd2eaa-ba46-473b-9ecf-d55a40ef9ed3\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.id\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"43067dd3-665f-4543-b21e-3b5f4cc96c97X0\":{\"label\":\"Part of count(kql='rule.result : \\\"fail\\\" ') * 10\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result : \\\"fail\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"43067dd3-665f-4543-b21e-3b5f4cc96c97X1\":{\"label\":\"Part of count(kql='rule.result : \\\"fail\\\" ') * 10\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"multiply\",\"args\":[\"43067dd3-665f-4543-b21e-3b5f4cc96c97X0\",10],\"location\":{\"min\":0,\"max\":39},\"text\":\"count(kql='rule.result : \\\"fail\\\" ') * 10\"}},\"references\":[\"43067dd3-665f-4543-b21e-3b5f4cc96c97X0\"],\"customLabel\":true},\"43067dd3-665f-4543-b21e-3b5f4cc96c97\":{\"label\":\"Total Score\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"count(kql='rule.result : \\\"fail\\\" ') * 10\",\"isFormulaBroken\":false},\"references\":[\"43067dd3-665f-4543-b21e-3b5f4cc96c97X1\"],\"customLabel\":true}},\"columnOrder\":[\"37f5da22-553d-4f51-8e0a-25ba01358872\",\"a648975d-7369-4b4b-bf40-70dabb3571c0\",\"8991452e-70b0-4dee-a3bb-f840b70af1fe\",\"38dd2eaa-ba46-473b-9ecf-d55a40ef9ed3\",\"43067dd3-665f-4543-b21e-3b5f4cc96c97\",\"43067dd3-665f-4543-b21e-3b5f4cc96c97X0\",\"43067dd3-665f-4543-b21e-3b5f4cc96c97X1\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Benchmark Results\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":9,\"h\":6,\"i\":\"2a770935-c253-4473-9b7c-47353bb53b47\"},\"panelIndex\":\"2a770935-c253-4473-9b7c-47353bb53b47\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"6fff9691-3ddd-4388-8285-de60ad5d992f\",\"layerType\":\"data\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"percent\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#E7664C\",\"stop\":33.33},{\"color\":\"#DA8B45\",\"stop\":66.66},{\"color\":\"#6092C0\",\"stop\":100}],\"colorStops\":[{\"color\":\"#E7664C\",\"stop\":null},{\"color\":\"#DA8B45\",\"stop\":33.33},{\"color\":\"#6092C0\",\"stop\":66.66}],\"continuity\":\"all\",\"maxSteps\":5}},\"metricAccessor\":\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"maxAccessor\":\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\",\"showBar\":true,\"progressDirection\":\"horizontal\",\"subtitle\":\"Passed tests to all tests.\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6fff9691-3ddd-4388-8285-de60ad5d992f\":{\"columns\":{\"71671d69-d31c-4a61-9ee3-68bacec8d16f\":{\"label\":\"Total Passes\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.result: \\\"pass\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"rule.result: \\\"fail\\\" or rule.result: \\\"pass\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"71671d69-d31c-4a61-9ee3-68bacec8d16f\",\"a2a4b1f7-a375-41c3-8b87-261df67e20c0\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":24,\"w\":9,\"h\":12,\"i\":\"f96a0653-055c-46d2-9dfd-f44631a1428b\"},\"panelIndex\":\"f96a0653-055c-46d2-9dfd-f44631a1428b\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Checks by Results and Severity\",\"panelRefName\":\"panel_f96a0653-055c-46d2-9dfd-f44631a1428b\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":19,\"w\":39,\"h\":30,\"i\":\"e9ebb74e-da8e-40f8-b8a5-b47558d28d04\"},\"panelIndex\":\"e9ebb74e-da8e-40f8-b8a5-b47558d28d04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a\",\"name\":\"indexpattern-datasource-layer-684ae460-2769-47f6-b1e3-442ea5978011\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"a19d4424-845d-4c07-bd6f-c90128a0ff8f\"},{\"isTransposed\":false,\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\",\"hidden\":true},{\"columnId\":\"fbd00864-4cc9-41ac-9f8d-20265f9601f8\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"9190595b-2b89-47ab-bb49-62819cd2e3a5\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"2bfceb96-1e89-4a1f-83f9-cbb4bc2d0ae4\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"eaef3af5-13f3-4936-baf5-5f1dd42bb36c\",\"isTransposed\":false},{\"columnId\":\"ed8182ed-6249-449f-844f-138d115fc1d6\",\"isTransposed\":false},{\"columnId\":\"f25bbb8d-e09e-4a7a-9979-f6ca304fbcd2\",\"isTransposed\":false,\"alignment\":\"center\"}],\"layerId\":\"684ae460-2769-47f6-b1e3-442ea5978011\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"684ae460-2769-47f6-b1e3-442ea5978011\":{\"columns\":{\"a19d4424-845d-4c07-bd6f-c90128a0ff8f\":{\"label\":\"Title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.title\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"fbd00864-4cc9-41ac-9f8d-20265f9601f8\":{\"label\":\"Finding ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.finding_id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9190595b-2b89-47ab-bb49-62819cd2e3a5\":{\"label\":\"Severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2bfceb96-1e89-4a1f-83f9-cbb4bc2d0ae4\":{\"label\":\"Test Result\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.result\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"eaef3af5-13f3-4936-baf5-5f1dd42bb36c\":{\"label\":\"Rule ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ed8182ed-6249-449f-844f-138d115fc1d6\":{\"label\":\"STIG ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.stig_id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f25bbb8d-e09e-4a7a-9979-f6ca304fbcd2\":{\"label\":\"Last Reported\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"@timestamp\",\"filter\":{\"query\":\"@timestamp: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"@timestamp\"},\"customLabel\":true}},\"columnOrder\":[\"a19d4424-845d-4c07-bd6f-c90128a0ff8f\",\"2bfceb96-1e89-4a1f-83f9-cbb4bc2d0ae4\",\"fbd00864-4cc9-41ac-9f8d-20265f9601f8\",\"ed8182ed-6249-449f-844f-138d115fc1d6\",\"9190595b-2b89-47ab-bb49-62819cd2e3a5\",\"eaef3af5-13f3-4936-baf5-5f1dd42bb36c\",\"f06f16d7-6954-48fd-9c3d-cbf7a7c8ccc6\",\"f25bbb8d-e09e-4a7a-9979-f6ca304fbcd2\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Rule Results\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":9,\"h\":9,\"i\":\"8a98dfe4-7bf6-43b7-a050-ad6bc362a79e\"},\"panelIndex\":\"8a98dfe4-7bf6-43b7-a050-ad6bc362a79e\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Benchmark Results \\nTYCHON scans endpoints for weaknesses in the Operating System and Software to help you meet regulatory compliance and secure your attack surface. TYCHON uses SCAP (Security Content Automation Protocol) to perform checks and read results.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Endpoint Browser - Benchmark Results", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:38:45.823Z", + "id": "tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "name": "8f6fafd2-91a2-424b-a877-284568fd3f98:panel_8f6fafd2-91a2-424b-a877-284568fd3f98", + "type": "visualization" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "363067aa-6ee2-41c7-b95d-0e61e6c28537:indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "6eda45c7-cb35-4f4a-8d66-4206ded45c8c:indexpattern-datasource-layer-3a5ee27d-64e5-4145-91f5-5805379b4f2f", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "2a770935-c253-4473-9b7c-47353bb53b47:indexpattern-datasource-layer-6fff9691-3ddd-4388-8285-de60ad5d992f", + "type": "index-pattern" + }, + { + "id": "tychon-837878a0-c3cb-11eb-8956-0b1a70e695fd", + "name": "f96a0653-055c-46d2-9dfd-f44631a1428b:panel_f96a0653-055c-46d2-9dfd-f44631a1428b", + "type": "visualization" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "e9ebb74e-da8e-40f8-b8a5-b47558d28d04:indexpattern-datasource-layer-684ae460-2769-47f6-b1e3-442ea5978011", + "type": "index-pattern" + }, + { + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "name": "controlGroup_accc2a18-0c16-4d33-b8df-09233a36a580:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "tychon-a3922360-3de6-11ee-9610-15dee918f31a", + "name": "tag-ref-a3922360-3de6-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "tychon-10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-579051b0-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-579051b0-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "tychon-e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:38:45.823Z", + "version": "WzgyMDAyMiwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-e24ce070-3c85-11ee-9610-15dee918f31a-exposedservice.json b/packages/tychon/kibana/dashboard/tychon-e24ce070-3c85-11ee-9610-15dee918f31a-exposedservice.json new file mode 100644 index 00000000000..521ad2d5dd6 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-e24ce070-3c85-11ee-9610-15dee918f31a-exposedservice.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "TYCHON monitors endpoints for listening ports and reports them to the server. Details are captured at the time of the check and can be a historical view. However, similar listening ports are updated with each check.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":39,\"i\":\"258910e8-1f41-4100-a8c6-1bd212f9d27e\"},\"panelIndex\":\"258910e8-1f41-4100-a8c6-1bd212f9d27e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-24de3dec-56cf-4cf2-98a6-3c78ed05d960\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"24de3dec-56cf-4cf2-98a6-3c78ed05d960\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"2afe8e01-1ca4-407f-a375-5c177d34fd47\",\"accessors\":[\"a3a0c1b6-7adc-46b9-ac80-d01429354e82\"],\"yConfig\":[{\"forAccessor\":\"a3a0c1b6-7adc-46b9-ac80-d01429354e82\",\"axisMode\":\"auto\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}],\"xTitle\":\"\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"24de3dec-56cf-4cf2-98a6-3c78ed05d960\":{\"columns\":{\"2afe8e01-1ca4-407f-a375-5c177d34fd47\":{\"label\":\"Process Names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a3a0c1b6-7adc-46b9-ac80-d01429354e82\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a3a0c1b6-7adc-46b9-ac80-d01429354e82\":{\"label\":\"Processes Captured\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2afe8e01-1ca4-407f-a375-5c177d34fd47\",\"a3a0c1b6-7adc-46b9-ac80-d01429354e82\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Most Active Processes\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":29,\"h\":9,\"i\":\"5720248d-77b4-4c3a-a755-856207618998\"},\"panelIndex\":\"5720248d-77b4-4c3a-a755-856207618998\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-8f31e3a1-68a6-4044-8fab-397567f134ee\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"8f31e3a1-68a6-4044-8fab-397567f134ee\",\"seriesType\":\"line\",\"accessors\":[\"c0c36be5-29d6-448d-8729-267feb104868\"],\"layerType\":\"data\",\"xAccessor\":\"79ff6781-0fe5-404b-9e55-d6d334aed1d5\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"8f31e3a1-68a6-4044-8fab-397567f134ee\":{\"columns\":{\"c0c36be5-29d6-448d-8729-267feb104868\":{\"label\":\"Network Transport\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"network.transport\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"79ff6781-0fe5-404b-9e55-d6d334aed1d5\":{\"label\":\"Events Observed\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"1w\",\"includeEmptyRows\":true,\"dropPartials\":false},\"customLabel\":true}},\"columnOrder\":[\"79ff6781-0fe5-404b-9e55-d6d334aed1d5\",\"c0c36be5-29d6-448d-8729-267feb104868\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":9,\"w\":30,\"h\":20,\"i\":\"3b75685e-24d0-4a07-bb8d-65011b6109e1\"},\"panelIndex\":\"3b75685e-24d0-4a07-bb8d-65011b6109e1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-a860a0ca-9856-48a6-9f80-c2f21b8bf996\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"a1d81ada-dd46-4a1c-ba1e-e7fb49550f37\",\"width\":118.72222222222229},{\"isTransposed\":false,\"columnId\":\"9b91b4f2-60e0-40cd-84ef-e465c214834f\",\"width\":534.3333333333333},{\"isTransposed\":false,\"columnId\":\"2b439f50-e5cc-47de-9273-d990402ffbcd\",\"width\":100.22222222222223,\"alignment\":\"center\"},{\"columnId\":\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\",\"isTransposed\":false}],\"layerId\":\"a860a0ca-9856-48a6-9f80-c2f21b8bf996\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a860a0ca-9856-48a6-9f80-c2f21b8bf996\":{\"columns\":{\"a1d81ada-dd46-4a1c-ba1e-e7fb49550f37\":{\"label\":\"Process Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9b91b4f2-60e0-40cd-84ef-e465c214834f\":{\"label\":\"Command Line\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2b439f50-e5cc-47de-9273-d990402ffbcd\":{\"label\":\"Transport\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.transport\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"process.pid\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a1d81ada-dd46-4a1c-ba1e-e7fb49550f37\",\"9b91b4f2-60e0-40cd-84ef-e465c214834f\",\"2b439f50-e5cc-47de-9273-d990402ffbcd\",\"58e2c5f1-f3fd-4a97-ad00-146eaf5f9f26\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":29,\"w\":30,\"h\":10,\"i\":\"87617db0-cd7c-4f32-99bd-1f2615d8d1a7\"},\"panelIndex\":\"87617db0-cd7c-4f32-99bd-1f2615d8d1a7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-2ce2e63d-d815-4db1-bc4b-609f7f80dc72\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"2ce2e63d-d815-4db1-bc4b-609f7f80dc72\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"heatmap_legend\",\"legendSize\":\"small\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":false},\"valueAccessor\":\"b4070a76-140e-47e4-a8e6-6aac0093c5e5\",\"xAccessor\":\"8f79caa9-e76d-405b-a271-ca4f58938886\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"2ce2e63d-d815-4db1-bc4b-609f7f80dc72\":{\"columns\":{\"8f79caa9-e76d-405b-a271-ca4f58938886\":{\"label\":\"Port Number\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"source.port\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\",\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true},\"b4070a76-140e-47e4-a8e6-6aac0093c5e5\":{\"label\":\"Usage Instances\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"8f79caa9-e76d-405b-a271-ca4f58938886\",\"b4070a76-140e-47e4-a8e6-6aac0093c5e5\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Most Prevalent Ports\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":16,\"i\":\"4ab60584-3359-4217-892c-3dddbf754aff\"},\"panelIndex\":\"4ab60584-3359-4217-892c-3dddbf754aff\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-0e20ed19-aae0-4939-a956-68aceebc3f7e\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"0e20ed19-aae0-4939-a956-68aceebc3f7e\",\"accessors\":[\"626edc6d-37d3-46f2-8e1b-91e57c836d22\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9556d14b-aa4e-465b-b781-ab354b1ac7c7\",\"splitAccessor\":\"73f9e58f-3b19-49b9-bfcf-9ac756934c66\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0e20ed19-aae0-4939-a956-68aceebc3f7e\":{\"columns\":{\"9556d14b-aa4e-465b-b781-ab354b1ac7c7\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":25,\"orderBy\":{\"type\":\"custom\"},\"orderAgg\":{\"label\":\"Unique count of process.name\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"process.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"626edc6d-37d3-46f2-8e1b-91e57c836d22\":{\"label\":\"# of Unique Processes\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"73f9e58f-3b19-49b9-bfcf-9ac756934c66\":{\"label\":\"Top 100 values of process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"626edc6d-37d3-46f2-8e1b-91e57c836d22\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"73f9e58f-3b19-49b9-bfcf-9ac756934c66\",\"9556d14b-aa4e-465b-b781-ab354b1ac7c7\",\"626edc6d-37d3-46f2-8e1b-91e57c836d22\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":55,\"w\":33,\"h\":22,\"i\":\"cee8b6b3-2032-4e8e-a12a-4f8b0023a506\"},\"panelIndex\":\"cee8b6b3-2032-4e8e-a12a-4f8b0023a506\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-e0cae3a1-c6ec-43da-b419-1e93f1b79cc9\"}],\"state\":{\"visualization\":{\"shape\":\"treemap\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"layers\":[{\"layerId\":\"e0cae3a1-c6ec-43da-b419-1e93f1b79cc9\",\"primaryGroups\":[\"98f90733-b8b7-4748-a4da-ea0023622259\"],\"metrics\":[\"e7b1d7e7-fbcb-4ac1-b820-085a98e899c2\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e0cae3a1-c6ec-43da-b419-1e93f1b79cc9\":{\"columns\":{\"98f90733-b8b7-4748-a4da-ea0023622259\":{\"label\":\"Process Username\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.user.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e7b1d7e7-fbcb-4ac1-b820-085a98e899c2\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e7b1d7e7-fbcb-4ac1-b820-085a98e899c2\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"98f90733-b8b7-4748-a4da-ea0023622259\",\"e7b1d7e7-fbcb-4ac1-b820-085a98e899c2\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":33,\"y\":55,\"w\":15,\"h\":22,\"i\":\"8e36813d-4556-4641-8d29-4f2f295cb7c1\"},\"panelIndex\":\"8e36813d-4556-4641-8d29-4f2f295cb7c1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"c6b645d3-dd29-43f2-b831-49e29ffd5b6c\",\"name\":\"indexpattern-datasource-layer-892c0e1e-878a-4e74-8cfc-00ebf1171aed\"}],\"state\":{\"visualization\":{\"layerId\":\"892c0e1e-878a-4e74-8cfc-00ebf1171aed\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"3a6015f2-d1cd-49fa-821a-e1205400f24a\"},{\"columnId\":\"2ab88515-4a2c-4bc3-8382-18e713e44bb8\"}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"892c0e1e-878a-4e74-8cfc-00ebf1171aed\":{\"columns\":{\"3a6015f2-d1cd-49fa-821a-e1205400f24a\":{\"label\":\"Username\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.user.name\",\"isBucketed\":true,\"params\":{\"size\":10000,\"orderBy\":{\"type\":\"column\",\"columnId\":\"2ab88515-4a2c-4bc3-8382-18e713e44bb8\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2ab88515-4a2c-4bc3-8382-18e713e44bb8\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"3a6015f2-d1cd-49fa-821a-e1205400f24a\",\"2ab88515-4a2c-4bc3-8382-18e713e44bb8\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Exposed Services", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T20:36:42.243Z", + "id": "tychon-e24ce070-3c85-11ee-9610-15dee918f31a-exposedservice", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "258910e8-1f41-4100-a8c6-1bd212f9d27e:indexpattern-datasource-layer-24de3dec-56cf-4cf2-98a6-3c78ed05d960", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "5720248d-77b4-4c3a-a755-856207618998:indexpattern-datasource-layer-8f31e3a1-68a6-4044-8fab-397567f134ee", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "3b75685e-24d0-4a07-bb8d-65011b6109e1:indexpattern-datasource-layer-a860a0ca-9856-48a6-9f80-c2f21b8bf996", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "87617db0-cd7c-4f32-99bd-1f2615d8d1a7:indexpattern-datasource-layer-2ce2e63d-d815-4db1-bc4b-609f7f80dc72", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "4ab60584-3359-4217-892c-3dddbf754aff:indexpattern-datasource-layer-0e20ed19-aae0-4939-a956-68aceebc3f7e", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "cee8b6b3-2032-4e8e-a12a-4f8b0023a506:indexpattern-datasource-layer-e0cae3a1-c6ec-43da-b419-1e93f1b79cc9", + "type": "index-pattern" + }, + { + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "name": "8e36813d-4556-4641-8d29-4f2f295cb7c1:indexpattern-datasource-layer-892c0e1e-878a-4e74-8cfc-00ebf1171aed", + "type": "index-pattern" + }, + { + "id": "e2bb7d40-3de4-11ee-9610-15dee918f31a", + "name": "tag-ref-e2bb7d40-3de4-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "name": "tag-ref-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-23T20:36:42.243Z", + "version": "WzgxOTg2NCwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-e3cbb1a0-112a-11ee-af86-538da1394f27-log.json b/packages/tychon/kibana/dashboard/tychon-e3cbb1a0-112a-11ee-af86-538da1394f27-log.json new file mode 100644 index 00000000000..18112bc2184 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-e3cbb1a0-112a-11ee-af86-538da1394f27-log.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "Track TYCHON Agentless Event runs, ensure there are no errors and find hosts that are not sending report data.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.provider\",\"params\":{\"query\":\"TYCHON\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.provider\":\"TYCHON\"}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":9,\"i\":\"0d3c8367-8409-4931-accd-0b1dddd5895c\"},\"panelIndex\":\"0d3c8367-8409-4931-accd-0b1dddd5895c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-e7402bc7-e904-495e-9339-368e8238ddde\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"e7402bc7-e904-495e-9339-368e8238ddde\",\"accessors\":[\"16655ccf-fa72-4b4a-820a-1abc0f970605\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"56d44da7-b14d-4203-923a-ed4054adb0cf\",\"splitAccessor\":\"a4e593d8-b5ac-4ede-8a44-50d0d0a64af0\"}]},\"query\":{\"query\":\"event.provider : \\\"TYCHON\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e7402bc7-e904-495e-9339-368e8238ddde\":{\"columns\":{\"56d44da7-b14d-4203-923a-ed4054adb0cf\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"16655ccf-fa72-4b4a-820a-1abc0f970605\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"a4e593d8-b5ac-4ede-8a44-50d0d0a64af0\":{\"label\":\"Event Codes\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.code\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"16655ccf-fa72-4b4a-820a-1abc0f970605\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"a4e593d8-b5ac-4ede-8a44-50d0d0a64af0\",\"56d44da7-b14d-4203-923a-ed4054adb0cf\",\"16655ccf-fa72-4b4a-820a-1abc0f970605\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"TYCHON Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":29,\"i\":\"003ea62c-e6c6-4352-bbf3-56de3c4b27d5\"},\"panelIndex\":\"003ea62c-e6c6-4352-bbf3-56de3c4b27d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8\"}],\"state\":{\"visualization\":{\"layerId\":\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"oneClickFilter\":true},{\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\",\"alignment\":\"center\"}],\"rowHeight\":\"single\",\"rowHeightLines\":1,\"headerRowHeight\":\"single\",\"headerRowHeightLines\":1,\"paging\":{\"size\":10,\"enabled\":false}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\":{\"columns\":{\"d0467eec-3e15-4567-8bec-0d645aa43766\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"68c6974a-897b-4580-9260-649e2e8097d0\":{\"label\":\"Last Event Received\",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"event.ingested\",\"filter\":{\"query\":\"event.ingested: *\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"event.ingested\"},\"customLabel\":true}},\"columnOrder\":[\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"68c6974a-897b-4580-9260-649e2e8097d0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 200 Hosts Reporting Times\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":29,\"i\":\"08c2bd9a-4e44-47e7-80b2-12ee8f6c848a\"},\"panelIndex\":\"08c2bd9a-4e44-47e7-80b2-12ee8f6c848a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8\"}],\"state\":{\"visualization\":{\"layerId\":\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"oneClickFilter\":true},{\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\",\"alignment\":\"center\"}],\"rowHeight\":\"single\",\"rowHeightLines\":1,\"headerRowHeight\":\"single\",\"headerRowHeightLines\":1,\"paging\":{\"size\":10,\"enabled\":false}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\":{\"columns\":{\"d0467eec-3e15-4567-8bec-0d645aa43766\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"68c6974a-897b-4580-9260-649e2e8097d0\":{\"label\":\"Last Vulnerability Scan \",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"event.ingested\",\"filter\":{\"query\":\"event.code: 8000\",\"language\":\"kuery\"},\"params\":{\"sortField\":\"event.ingested\"},\"customLabel\":true}},\"columnOrder\":[\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"68c6974a-897b-4580-9260-649e2e8097d0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 200 Hosts Vulnerability Scan\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":29,\"i\":\"d06340ad-f85b-41d2-b355-a63935813f2a\"},\"panelIndex\":\"d06340ad-f85b-41d2-b355-a63935813f2a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8\"}],\"state\":{\"visualization\":{\"layerId\":\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"oneClickFilter\":true},{\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\",\"alignment\":\"center\"}],\"rowHeight\":\"single\",\"rowHeightLines\":1,\"headerRowHeight\":\"single\",\"headerRowHeightLines\":1,\"paging\":{\"size\":10,\"enabled\":false}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6c37a2a4-f317-4829-ae4c-ac399bb98cf8\":{\"columns\":{\"d0467eec-3e15-4567-8bec-0d645aa43766\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":200,\"orderBy\":{\"type\":\"column\",\"columnId\":\"68c6974a-897b-4580-9260-649e2e8097d0\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"68c6974a-897b-4580-9260-649e2e8097d0\":{\"label\":\"Last Vulnerability Scan \",\"dataType\":\"date\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"event.ingested\",\"filter\":{\"query\":\"event.code: \\\"8100\\\" \",\"language\":\"kuery\"},\"params\":{\"sortField\":\"event.ingested\"},\"customLabel\":true}},\"columnOrder\":[\"d0467eec-3e15-4567-8bec-0d645aa43766\",\"68c6974a-897b-4580-9260-649e2e8097d0\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 200 Hosts STIG/SCAP Scan\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":10,\"i\":\"375c0c11-1577-4003-80f7-49eb9bc59ed6\"},\"panelIndex\":\"375c0c11-1577-4003-80f7-49eb9bc59ed6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-9718473a-bff7-48ea-86aa-04ffed5eed06\"}],\"state\":{\"visualization\":{\"layerId\":\"9718473a-bff7-48ea-86aa-04ffed5eed06\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\"},{\"columnId\":\"1690c6b9-3994-45fe-b5df-f969d2db8685\",\"alignment\":\"center\",\"summaryRow\":\"sum\",\"summaryLabel\":\"Total\"}],\"sorting\":{\"columnId\":\"1690c6b9-3994-45fe-b5df-f969d2db8685\",\"direction\":\"desc\"}},\"query\":{\"query\":\"event.provider : \\\"TYCHON\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9718473a-bff7-48ea-86aa-04ffed5eed06\":{\"columns\":{\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\":{\"label\":\"Event Category\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"CVE Events\",\"input\":{\"query\":\"event.code \u003e= 8000 and event.code \u003c 8007\",\"language\":\"kuery\"}},{\"input\":{\"query\":\"event.code \u003e= 8100 and event.code \u003c=8108\",\"language\":\"kuery\"},\"label\":\"SCAP/STIG Events\"},{\"input\":{\"query\":\"event.code \u003e= 8200 and event.code \u003c= 8203\",\"language\":\"kuery\"},\"label\":\"EPP Events\"},{\"input\":{\"query\":\"event.code \u003e= 8900 and event.code \u003c= 8968\",\"language\":\"kuery\"},\"label\":\"TYCHON General Events\"}]},\"customLabel\":true},\"1690c6b9-3994-45fe-b5df-f969d2db8685\":{\"label\":\"Total Records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\",\"1690c6b9-3994-45fe-b5df-f969d2db8685\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Event Counts By Category\"},{\"version\":\"8.6.2\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":29,\"i\":\"bfd61155-5434-4118-9ab8-d9c7622aa296\"},\"panelIndex\":\"bfd61155-5434-4118-9ab8-d9c7622aa296\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Log stream\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":19,\"w\":9,\"h\":8,\"i\":\"51fd833e-0ffd-488e-9e08-d9342ccd6884\"},\"panelIndex\":\"51fd833e-0ffd-488e-9e08-d9342ccd6884\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-9718473a-bff7-48ea-86aa-04ffed5eed06\"}],\"state\":{\"visualization\":{\"layerId\":\"9718473a-bff7-48ea-86aa-04ffed5eed06\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\"},{\"columnId\":\"1690c6b9-3994-45fe-b5df-f969d2db8685\",\"alignment\":\"center\",\"summaryRow\":\"sum\",\"summaryLabel\":\"Total\"}],\"sorting\":{\"columnId\":\"1690c6b9-3994-45fe-b5df-f969d2db8685\",\"direction\":\"desc\"}},\"query\":{\"query\":\"event.provider : \\\"TYCHON\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"9718473a-bff7-48ea-86aa-04ffed5eed06\":{\"columns\":{\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\":{\"label\":\"Event Category\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Error Events\",\"input\":{\"query\":\"log.level : \\\"error\\\" \",\"language\":\"kuery\"}},{\"input\":{\"query\":\"log.level : \\\"warning\\\" \",\"language\":\"kuery\"},\"label\":\"Warning Events\"},{\"input\":{\"query\":\"log.level : \\\"information\\\" \",\"language\":\"kuery\"},\"label\":\"Information Events\"}]},\"customLabel\":true},\"1690c6b9-3994-45fe-b5df-f969d2db8685\":{\"label\":\"Total Records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"ee089046-8dd0-47f9-b094-31dc5a43d8ad\",\"1690c6b9-3994-45fe-b5df-f969d2db8685\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Event Counts By Severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":27,\"w\":9,\"h\":11,\"i\":\"f560734b-0618-40e0-828a-a6e141cf62a2\"},\"panelIndex\":\"f560734b-0618-40e0-828a-a6e141cf62a2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-51fcf8c0-74c4-469b-a2c3-5581b411a908\"}],\"state\":{\"visualization\":{\"layerId\":\"51fcf8c0-74c4-469b-a2c3-5581b411a908\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d8139485-6b46-45aa-8376-c2b28f89e022\"},{\"columnId\":\"568e03d3-c0c2-42db-8c81-e4cac6e39fa5\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"51fcf8c0-74c4-469b-a2c3-5581b411a908\":{\"columns\":{\"d8139485-6b46-45aa-8376-c2b28f89e022\":{\"label\":\"Errors:\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Module Not Supported Error\",\"input\":{\"query\":\"event.provider:\\\"TYCHON\\\" and message:\\\"*is not supported\\\"\",\"language\":\"kuery\"}},{\"input\":{\"query\":\"event.provider : \\\"TYCHON\\\" and message:\\\"*not found in item*\\\"\",\"language\":\"kuery\"},\"label\":\"Item Not Found\"}]},\"customLabel\":true},\"568e03d3-c0c2-42db-8c81-e4cac6e39fa5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"d8139485-6b46-45aa-8376-c2b28f89e022\",\"568e03d3-c0c2-42db-8c81-e4cac6e39fa5\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"TYCHON Errors\"},{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":38,\"w\":27,\"h\":38,\"i\":\"2a8fb3f0-8a3a-4f26-94d6-ef0454458190\"},\"panelIndex\":\"2a8fb3f0-8a3a-4f26-94d6-ef0454458190\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### TYCHON Event ID Mapping:\\n\\n|Category|Event ID|Event Type|Message Format|Source|Level|\\n| --- | --- | --- | --- | --- | --- |\\n|CVE| 8000\\t| TYCHON Vulnerability Check Started | Vulnerability Check Started\\t| TYCHON\\t|INFO |\\n|CVE| 8001\\t| TYCHON Vulnerability Check Failed\\t| Vulnerability Check Failed\\t| TYCHON\\t| ERROR\\n|CVE| 8002\\t| TYCHON Vulnerability Check Complete\\t| Vulnerability Check Complete\\t| TYCHON\\t| INFO\\n|CVE| 8003\\t| TYCHON CVE Check Passed\\t| Formatted scan output for passing test.\\t| TYCHON\\t| INFO\\n|CVE| 8004\\t| TYCHON CVE Check Failed\\t| Formatted scan output for failed test.\\t| TYCHON\\t| ERROR\\n|CVE| 8005\\t| TYCHON CVE Check Error\\t| Formatted scan output for test that reports an error.\\t| TYCHON\\t| WARN\\n|CVE|8006\\t| TYCHON CVE Delta Check Passed\\t| Formatted module output.\\t| TYCHON\\t| WARN\\n|STIG |8100 |TYCHON STIG Check Started\\t|TYCHON STIG Check Started\\t|TYCHON\\t|INFO\\n|STIG | 8101\\t|TYCHON STIG Check Failed\\t|TYCHON STIG Check Failed\\t|TYCHON\\t|ERROR\\n|STIG | 8102\\t|TYCHON STIG Check Complete\\t|TYCHON STIG Check Complete\\t|TYCHON\\t|INFO\\n|STIG | 8103\\t|TYCHON Benchmark Check Failed\\t|Formatted benchmark output\\t|TYCHON\\t|ERROR\\n|STIG | 8304\\t|TYCHON Benchmark Check Passed\\t|Formatted benchmark output\\t|TYCHON\\t|INFO\\n|STIG | 8105\\t|TYCHON Benchmark Check Error\\t|Formatted benchmark output\\t|TYCHON\\t|WARN\\n|STIG | 8106\\t|TYCHON Benchmark Delta Check Passed\\t|Formatted module output\\t|TYCHON\\t|WARN\\n|STIG | 8107\\t|TYCHON Benchmark Scan Start\\t|TYCHON Benchmark \u003cBENCHMARK NAME\u003e \u003cBENCHMARK ID\u003e\u003cPROFILE ID\u003e Scan Start\\t|TYCHON\\t|INFO\\n|STIG | 8108|TYCHON Benchmark Scan Complete\\t|TYCHON Benchmark \u003cBENCHMARK NAME\u003e \u003cBENCHMARK ID\u003e\u003cPROFILE ID\u003e Scan Complete.\\t|TYCHON\\t|INFO\\n|EPP|8200|TYCHON EPP Check Started\\t|TYCHON EPP Check Started\\t|TYCHON\\t|INFO\\n|EPP|8201|TYCHON EPP Check Completed\\t|TYCHON EPP Check Complete\\t|TYCHON\\t|ERROR\\n|EPP|8202|TYCHON EPP Setting Check Passed\\t|Formatted module output\\t|TYCHON\\t|INFO\\n|EPP|8203|TYCHON EPP Setting Check Failed\\t|Formatted module output\\t|TYCHON\\t|ERROR\\n|General|8900|TYCHON General Issue\\t|Free form\\t|TYCHON\\t|ERROR\\n|General|8901|TYCHON General Issue\\t|Free form\\t|TYCHON\\t|WARN\\n|General|8902|TYCHON General Issue\\t|Free form\\t|TYCHON\\t|INFO\\n|General|8968|TYCHON Script Start\\t|TYCHON Script Start \u003cScript Name\u003e, \u003cStart Time\u003e Expectation to include the start time as a field.\\t|TYCHON\\t|INFO\\n|General|8968|TYCHON Script Complete\\t|TYCHON Script Complete \u003cScript Name\u003e, \u003cCompletion Time\u003e Expectation to include the completion time as a field.\\t|TYCHON\\t|INFO\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":27,\"y\":38,\"w\":12,\"h\":19,\"i\":\"ffd3a473-3cb4-4ef1-95a2-19899211b020\"},\"panelIndex\":\"ffd3a473-3cb4-4ef1-95a2-19899211b020\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-7291df4e-9082-4935-8fed-0f3d42910589\"}],\"state\":{\"visualization\":{\"layerId\":\"7291df4e-9082-4935-8fed-0f3d42910589\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"e4855ab7-72e1-4b6a-a668-c8a39ab3dba2\",\"alignment\":\"left\",\"oneClickFilter\":true},{\"columnId\":\"59d9fc9f-a21c-4b5b-a87b-b66b016505fa\",\"alignment\":\"center\"},{\"columnId\":\"56e6a432-6881-4338-b91c-a907653fbd8c\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"1503adce-02f2-4ee6-a15d-9b76b98c40d8\",\"isTransposed\":false,\"alignment\":\"center\"},{\"columnId\":\"ca252885-1816-4144-a8b4-444d3e186b20\",\"isTransposed\":false,\"alignment\":\"center\"}],\"sorting\":{\"columnId\":\"e4855ab7-72e1-4b6a-a668-c8a39ab3dba2\",\"direction\":\"desc\"}},\"query\":{\"query\":\"event.code: 8101 or event.code: 8001 or event.code:8203\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7291df4e-9082-4935-8fed-0f3d42910589\":{\"columns\":{\"e4855ab7-72e1-4b6a-a668-c8a39ab3dba2\":{\"label\":\"Date\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"event.ingested\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":false},\"customLabel\":true},\"59d9fc9f-a21c-4b5b-a87b-b66b016505fa\":{\"label\":\"Total Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"56e6a432-6881-4338-b91c-a907653fbd8c\":{\"label\":\"STIG Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.code: 8101\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"1503adce-02f2-4ee6-a15d-9b76b98c40d8\":{\"label\":\"Vulnerability Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.code: 8001\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"ca252885-1816-4144-a8b4-444d3e186b20\":{\"label\":\"EPP Failures\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.code: \\\"8203\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e4855ab7-72e1-4b6a-a668-c8a39ab3dba2\",\"59d9fc9f-a21c-4b5b-a87b-b66b016505fa\",\"56e6a432-6881-4338-b91c-a907653fbd8c\",\"1503adce-02f2-4ee6-a15d-9b76b98c40d8\",\"ca252885-1816-4144-a8b4-444d3e186b20\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Scan Failures Per Day\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":39,\"y\":38,\"w\":9,\"h\":19,\"i\":\"6a813b1d-6a0b-414a-88e0-0c25bd7a5a2d\"},\"panelIndex\":\"6a813b1d-6a0b-414a-88e0-0c25bd7a5a2d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"df491fbb-3f09-4ab0-995a-c2c549a9bc21\",\"name\":\"indexpattern-datasource-layer-7c6422f1-c23f-49b2-8736-1971f6116592\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"7c6422f1-c23f-49b2-8736-1971f6116592\",\"primaryGroups\":[\"2416f259-6b27-465e-91da-4adafc040ead\"],\"metrics\":[\"387b0e2c-27c5-46f6-89da-8e2b10dc46c7\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"7c6422f1-c23f-49b2-8736-1971f6116592\":{\"columns\":{\"2416f259-6b27-465e-91da-4adafc040ead\":{\"label\":\"Top 5 values of host.os.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"387b0e2c-27c5-46f6-89da-8e2b10dc46c7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"387b0e2c-27c5-46f6-89da-8e2b10dc46c7\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2416f259-6b27-465e-91da-4adafc040ead\",\"387b0e2c-27c5-46f6-89da-8e2b10dc46c7\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Operating System Breakdown\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] - Agentless Event Logs", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-06-22T19:24:40.643Z", + "id": "tychon-e3cbb1a0-112a-11ee-af86-538da1394f27-log", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "0d3c8367-8409-4931-accd-0b1dddd5895c:indexpattern-datasource-layer-e7402bc7-e904-495e-9339-368e8238ddde", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "003ea62c-e6c6-4352-bbf3-56de3c4b27d5:indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "08c2bd9a-4e44-47e7-80b2-12ee8f6c848a:indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "d06340ad-f85b-41d2-b355-a63935813f2a:indexpattern-datasource-layer-6c37a2a4-f317-4829-ae4c-ac399bb98cf8", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "375c0c11-1577-4003-80f7-49eb9bc59ed6:indexpattern-datasource-layer-9718473a-bff7-48ea-86aa-04ffed5eed06", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "51fd833e-0ffd-488e-9e08-d9342ccd6884:indexpattern-datasource-layer-9718473a-bff7-48ea-86aa-04ffed5eed06", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "f560734b-0618-40e0-828a-a6e141cf62a2:indexpattern-datasource-layer-51fcf8c0-74c4-469b-a2c3-5581b411a908", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "ffd3a473-3cb4-4ef1-95a2-19899211b020:indexpattern-datasource-layer-7291df4e-9082-4935-8fed-0f3d42910589", + "type": "index-pattern" + }, + { + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "name": "6a813b1d-6a0b-414a-88e0-0c25bd7a5a2d:indexpattern-datasource-layer-7c6422f1-c23f-49b2-8736-1971f6116592", + "type": "index-pattern" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-06-22T19:24:40.643Z", + "version": "WzI4NDUzNSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/dashboard/tychon-f3f86a20-3d47-11ee-9610-15dee918f31a-host.json b/packages/tychon/kibana/dashboard/tychon-f3f86a20-3d47-11ee-9610-15dee918f31a-host.json new file mode 100644 index 00000000000..a3c7c29dc30 --- /dev/null +++ b/packages/tychon/kibana/dashboard/tychon-f3f86a20-3d47-11ee-9610-15dee918f31a-host.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "description": "TYCHON reports on current TPM, Device Guard, Secure Boot, DMA, System Guard, and HVE Code Integrity being available and Enabled.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":6,\"h\":8,\"i\":\"98423c47-09a4-460b-a2b2-f3c111bae4b5\"},\"panelIndex\":\"98423c47-09a4-460b-a2b2-f3c111bae4b5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-cebe4c55-66db-4691-b44a-a6282a29a7bd\"}],\"state\":{\"visualization\":{\"layerId\":\"cebe4c55-66db-4691-b44a-a6282a29a7bd\",\"accessor\":\"30e5a2fc-ce4a-42a6-9422-debeb64ebe98\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"m\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"cebe4c55-66db-4691-b44a-a6282a29a7bd\":{\"columns\":{\"30e5a2fc-ce4a-42a6-9422-debeb64ebe98\":{\"label\":\"Total Number of Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"30e5a2fc-ce4a-42a6-9422-debeb64ebe98\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":0,\"w\":7,\"h\":4,\"i\":\"0510df0c-1a13-43a1-a9da-e3837ff6b001\"},\"panelIndex\":\"0510df0c-1a13-43a1-a9da-e3837ff6b001\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Base Virtualization Support Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.basevirtualizationsupport.available : true \",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Unique count of host.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":0,\"w\":7,\"h\":4,\"i\":\"2296650a-59b3-49c3-8766-9b3e5dc2a60b\"},\"panelIndex\":\"2296650a-59b3-49c3-8766-9b3e5dc2a60b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Hypervisor Enforced Code Integrity Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.hypervisorenforcedcodeint.enabled : true \",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Unique count of host.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":20,\"y\":0,\"w\":7,\"h\":4,\"i\":\"b3b4f8d0-f425-4f30-bf9b-08f9bac344be\"},\"panelIndex\":\"b3b4f8d0-f425-4f30-bf9b-08f9bac344be\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Credential Guard Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.credentialguard.enabled : true\",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Unique count of host.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":27,\"y\":0,\"w\":7,\"h\":4,\"i\":\"8288c8d3-8052-4fcb-b8b1-03a03c088699\"},\"panelIndex\":\"8288c8d3-8052-4fcb-b8b1-03a03c088699\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\",\"color\":\"#2567ca\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Secure Memory Overwrite Not Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.securememoverwrite.available : false \",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":0,\"w\":7,\"h\":4,\"i\":\"c86a6a37-5078-43c1-aed8-8a49373bafe2\"},\"panelIndex\":\"c86a6a37-5078-43c1-aed8-8a49373bafe2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"DMA Protections Not Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.dmaprotection.available :false \",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":41,\"y\":0,\"w\":7,\"h\":4,\"i\":\"cbe84ec6-8b4f-4be4-9862-b72c8ed16f0c\"},\"panelIndex\":\"cbe84ec6-8b4f-4be4-9862-b72c8ed16f0c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"System Guard Secure Launch Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.systemguardsecurelaunch.enabled : true \",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":6,\"y\":4,\"w\":7,\"h\":4,\"i\":\"d7ddb672-7f1d-4833-a1a5-becc42cf9dec\"},\"panelIndex\":\"d7ddb672-7f1d-4833-a1a5-becc42cf9dec\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Windows SMM Security Mitigation Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.smmsecuritymigrations.available : true \",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Unique count of host.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":13,\"y\":4,\"w\":7,\"h\":4,\"i\":\"75a9ea69-9a70-490e-b260-664cdc9aa03f\"},\"panelIndex\":\"75a9ea69-9a70-490e-b260-664cdc9aa03f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"HVE Code Integrity Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.hypervisorenforcedcodeint.running : true \",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"event.deviceguard.hypervisorenforcedcodeint.enabled : true \",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":20,\"y\":4,\"w\":7,\"h\":4,\"i\":\"6e8d444b-1a29-4b93-90bd-f6aebfa0818c\"},\"panelIndex\":\"6e8d444b-1a29-4b93-90bd-f6aebfa0818c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Credential Guard Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.credentialguard.running : true \",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.credentialguard.enabled : true \",\"language\":\"kuery\"}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":27,\"y\":4,\"w\":7,\"h\":4,\"i\":\"915bad91-ce3c-461d-94ef-5da768d08aa1\"},\"panelIndex\":\"915bad91-ce3c-461d-94ef-5da768d08aa1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"Secure Boot Not Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.secureboot.available : false\",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":4,\"w\":7,\"h\":4,\"i\":\"46f76a3a-3bdf-42cf-9ed6-735fd2f0f27f\"},\"panelIndex\":\"46f76a3a-3bdf-42cf-9ed6-735fd2f0f27f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"UEFI Enabled\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.ufi.enabled : true\",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":41,\"y\":4,\"w\":7,\"h\":4,\"i\":\"a1836875-cbd5-44ec-9543-1eea05689733\"},\"panelIndex\":\"a1836875-cbd5-44ec-9543-1eea05689733\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"8b1f00fe-d1df-49df-83c7-812185d80225\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"System Guard Secure Launch Running\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.systemguardsecurelaunch.running : true \",\"language\":\"kuery\"}},\"8b1f00fe-d1df-49df-83c7-812185d80225\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.hostname\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"event.deviceguard.systemguardsecurelaunch.enabled : true \",\"language\":\"kuery\"}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"8b1f00fe-d1df-49df-83c7-812185d80225\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":3,\"h\":17,\"i\":\"91fa4dd4-c51a-4d25-bd36-7960198d687c\"},\"panelIndex\":\"91fa4dd4-c51a-4d25-bd36-7960198d687c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsGauge\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-e940b5ed-a6d9-488f-871b-d3e89450a469\"}],\"state\":{\"visualization\":{\"layerId\":\"e940b5ed-a6d9-488f-871b-d3e89450a469\",\"layerType\":\"data\",\"shape\":\"verticalBullet\",\"ticksPosition\":\"auto\",\"labelMajorMode\":\"auto\",\"metricAccessor\":\"278aed0b-127a-4727-9b30-36d8cbc242f3\",\"maxAccessor\":\"5b80e387-9916-4bef-9384-2a873e0e498f\",\"minAccessor\":\"3da8457f-342e-4115-ab2e-60b4c410a9bf\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e940b5ed-a6d9-488f-871b-d3e89450a469\":{\"columns\":{\"278aed0b-127a-4727-9b30-36d8cbc242f3\":{\"label\":\"TPM Compliant\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"filter\":{\"query\":\"host.tpm.compliant : true\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"5b80e387-9916-4bef-9384-2a873e0e498f\":{\"label\":\"Total Systems\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"3da8457f-342e-4115-ab2e-60b4c410a9bf\":{\"label\":\"Static value: 0\",\"dataType\":\"number\",\"operationType\":\"static_value\",\"isStaticValue\":true,\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"value\":\"0\"},\"references\":[]}},\"columnOrder\":[\"278aed0b-127a-4727-9b30-36d8cbc242f3\",\"5b80e387-9916-4bef-9384-2a873e0e498f\",\"3da8457f-342e-4115-ab2e-60b4c410a9bf\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":3,\"y\":8,\"w\":6,\"h\":11,\"i\":\"14ea02d4-b08f-4545-8415-c06fc189d8d2\"},\"panelIndex\":\"14ea02d4-b08f-4545-8415-c06fc189d8d2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-08732232-1c74-4bc6-9dc9-4fcd5bff66d2\"}],\"state\":{\"visualization\":{\"layerId\":\"08732232-1c74-4bc6-9dc9-4fcd5bff66d2\",\"accessor\":\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":100,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#E7664C\",\"stop\":0},{\"color\":\"#E7664C\",\"stop\":60},{\"color\":\"#D6BF57\",\"stop\":90},{\"color\":\"#54B399\",\"stop\":100}],\"colorStops\":[{\"color\":\"#E7664C\",\"stop\":null},{\"color\":\"#E7664C\",\"stop\":0},{\"color\":\"#D6BF57\",\"stop\":60},{\"color\":\"#54B399\",\"stop\":90}],\"continuity\":\"below\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"08732232-1c74-4bc6-9dc9-4fcd5bff66d2\":{\"columns\":{\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X0\":{\"label\":\"Part of Percent TPM Compliant\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"host.tpm.compliant : true\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X1\":{\"label\":\"Part of Percent TPM Compliant\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"host.tpm.compliant : *\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X2\":{\"label\":\"Part of Percent TPM Compliant\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"multiply\",\"args\":[\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X0\",\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X1\"],\"location\":{\"min\":1,\"max\":77},\"text\":\"count(kql='host.tpm.compliant : true') * count(kql='host.tpm.compliant : *')\"},100],\"location\":{\"min\":0,\"max\":84},\"text\":\"(count(kql='host.tpm.compliant : true') * count(kql='host.tpm.compliant : *')) / 100\"}},\"references\":[\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X0\",\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X1\"],\"customLabel\":true},\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02\":{\"label\":\"Percent TPM Compliant\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count(kql='host.tpm.compliant : true') * count(kql='host.tpm.compliant : *')) / 100\",\"isFormulaBroken\":false,\"format\":{\"id\":\"percent\",\"params\":{\"decimals\":2}}},\"references\":[\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X2\"],\"customLabel\":true}},\"columnOrder\":[\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02\",\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X0\",\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X1\",\"7e0f7dc7-3e17-41e7-9037-426df3fb1e02X2\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":9,\"y\":8,\"w\":39,\"h\":32,\"i\":\"4720fc52-f5a8-4db8-a38c-aacecd78ffd4\"},\"panelIndex\":\"4720fc52-f5a8-4db8-a38c-aacecd78ffd4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-1590c162-36ad-41eb-9bb2-14e1ec9ae08b\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"a3aab062-cb0e-4d7f-8593-ecc6ba8bab6f\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"daf16339-8bfb-4e36-99ce-5e66793f4264\"},{\"isTransposed\":false,\"columnId\":\"39ce7546-1fb9-4625-b47c-b7658520ab4e\"},{\"columnId\":\"ce080286-8ed3-43e4-8df3-f0547b3d2760\",\"isTransposed\":false}],\"layerId\":\"1590c162-36ad-41eb-9bb2-14e1ec9ae08b\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1590c162-36ad-41eb-9bb2-14e1ec9ae08b\":{\"columns\":{\"a3aab062-cb0e-4d7f-8593-ecc6ba8bab6f\":{\"label\":\"Hostname\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\",\"isBucketed\":true,\"params\":{\"size\":150,\"orderBy\":{\"type\":\"column\",\"columnId\":\"39ce7546-1fb9-4625-b47c-b7658520ab4e\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"daf16339-8bfb-4e36-99ce-5e66793f4264\":{\"label\":\"OS\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"39ce7546-1fb9-4625-b47c-b7658520ab4e\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"39ce7546-1fb9-4625-b47c-b7658520ab4e\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"ce080286-8ed3-43e4-8df3-f0547b3d2760\":{\"label\":\"Kernel\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.os.kernel\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"39ce7546-1fb9-4625-b47c-b7658520ab4e\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"a3aab062-cb0e-4d7f-8593-ecc6ba8bab6f\",\"daf16339-8bfb-4e36-99ce-5e66793f4264\",\"ce080286-8ed3-43e4-8df3-f0547b3d2760\",\"39ce7546-1fb9-4625-b47c-b7658520ab4e\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Host List\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":3,\"y\":19,\"w\":6,\"h\":6,\"i\":\"bde24496-933d-417a-bece-b1d1f5b0ec93\"},\"panelIndex\":\"bde24496-933d-417a-bece-b1d1f5b0ec93\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a\"}],\"state\":{\"visualization\":{\"layerId\":\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\",\"layerType\":\"data\",\"metricAccessor\":\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"maxAccessor\":\"450687e0-0597-4ee7-af97-1ee49bea450d\",\"showBar\":true,\"progressDirection\":\"horizontal\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"426889ea-4a64-47bc-b75b-2db8ebe4da1a\":{\"columns\":{\"65782600-85b4-4811-96fe-d5e0b55cec61\":{\"label\":\"TPM Not Available\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true,\"filter\":{\"query\":\"host.tpm.present : \\\"false\\\" \",\"language\":\"kuery\"}},\"450687e0-0597-4ee7-af97-1ee49bea450d\":{\"label\":\"Unique count of host.id\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"65782600-85b4-4811-96fe-d5e0b55cec61\",\"450687e0-0597-4ee7-af97-1ee49bea450d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":9,\"h\":15,\"i\":\"336ed7ca-cfb0-4f6f-8537-614b062c122e\"},\"panelIndex\":\"336ed7ca-cfb0-4f6f-8537-614b062c122e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"9267bb1b-cf22-4417-8cfb-6606848140a7\",\"name\":\"indexpattern-datasource-layer-43643552-3cbb-4748-a6ab-d2a73bb57c1a\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"palette\":{\"type\":\"palette\",\"name\":\"cool\"},\"layers\":[{\"layerId\":\"43643552-3cbb-4748-a6ab-d2a73bb57c1a\",\"primaryGroups\":[\"49f19bf6-e3d2-41b0-bc18-1a22f0915d8c\"],\"metrics\":[\"0537ada3-7bcd-48a3-a141-da31c0877743\"],\"numberDisplay\":\"value\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"percentDecimals\":0,\"emptySizeRatio\":0.7,\"legendPosition\":\"right\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"43643552-3cbb-4748-a6ab-d2a73bb57c1a\":{\"columns\":{\"49f19bf6-e3d2-41b0-bc18-1a22f0915d8c\":{\"label\":\"Device Guard Versions\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.deviceguard.version\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0537ada3-7bcd-48a3-a141-da31c0877743\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0537ada3-7bcd-48a3-a141-da31c0877743\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"49f19bf6-e3d2-41b0-bc18-1a22f0915d8c\",\"0537ada3-7bcd-48a3-a141-da31c0877743\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"TPM Versions\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-30d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[TYCHON] Virtualization Based Security Settings", + "version": 1 + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-28T12:12:27.089Z", + "id": "tychon-f3f86a20-3d47-11ee-9610-15dee918f31a-host", + "migrationVersion": { + "dashboard": "8.6.0" + }, + "references": [ + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "98423c47-09a4-460b-a2b2-f3c111bae4b5:indexpattern-datasource-layer-cebe4c55-66db-4691-b44a-a6282a29a7bd", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "0510df0c-1a13-43a1-a9da-e3837ff6b001:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "2296650a-59b3-49c3-8766-9b3e5dc2a60b:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "b3b4f8d0-f425-4f30-bf9b-08f9bac344be:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "8288c8d3-8052-4fcb-b8b1-03a03c088699:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "c86a6a37-5078-43c1-aed8-8a49373bafe2:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "cbe84ec6-8b4f-4be4-9862-b72c8ed16f0c:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "d7ddb672-7f1d-4833-a1a5-becc42cf9dec:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "75a9ea69-9a70-490e-b260-664cdc9aa03f:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "6e8d444b-1a29-4b93-90bd-f6aebfa0818c:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "915bad91-ce3c-461d-94ef-5da768d08aa1:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "46f76a3a-3bdf-42cf-9ed6-735fd2f0f27f:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "a1836875-cbd5-44ec-9543-1eea05689733:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "91fa4dd4-c51a-4d25-bd36-7960198d687c:indexpattern-datasource-layer-e940b5ed-a6d9-488f-871b-d3e89450a469", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "14ea02d4-b08f-4545-8415-c06fc189d8d2:indexpattern-datasource-layer-08732232-1c74-4bc6-9dc9-4fcd5bff66d2", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "4720fc52-f5a8-4db8-a38c-aacecd78ffd4:indexpattern-datasource-layer-1590c162-36ad-41eb-9bb2-14e1ec9ae08b", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "bde24496-933d-417a-bece-b1d1f5b0ec93:indexpattern-datasource-layer-426889ea-4a64-47bc-b75b-2db8ebe4da1a", + "type": "index-pattern" + }, + { + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "name": "336ed7ca-cfb0-4f6f-8537-614b062c122e:indexpattern-datasource-layer-43643552-3cbb-4748-a6ab-d2a73bb57c1a", + "type": "index-pattern" + }, + { + "id": "f26ce820-3d47-11ee-9610-15dee918f31a", + "name": "tag-ref-f26ce820-3d47-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + }, + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "39b55820-10f2-11ee-af86-538da1394f27", + "name": "tag-ref-39b55820-10f2-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "fleet-managed-default", + "name": "tag-ref-fleet-managed-default", + "type": "tag" + }, + { + "id": "fleet-pkg-tychon-default", + "name": "tag-ref-fleet-pkg-tychon-default", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2023-08-28T12:12:27.089Z", + "version": "Wzg5NzMwMywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/02acfb43-5302-4331-bb10-4174171f6091.json b/packages/tychon/kibana/index_pattern/02acfb43-5302-4331-bb10-4174171f6091.json new file mode 100644 index 00000000000..0dfd5e3db51 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/02acfb43-5302-4331-bb10-4174171f6091.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Disk Volumes (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_volume*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T10:59:56.550Z", + "id": "02acfb43-5302-4331-bb10-4174171f6091", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T10:59:56.550Z", + "version": "Wzc5MSwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/2dc584bc-c446-4150-b561-1415a45ebe87.json b/packages/tychon/kibana/index_pattern/2dc584bc-c446-4150-b561-1415a45ebe87.json new file mode 100644 index 00000000000..ccc02594952 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/2dc584bc-c446-4150-b561-1415a45ebe87.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Hard Drives (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_harddrive*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-17T21:06:28.654Z", + "id": "2dc584bc-c446-4150-b561-1415a45ebe87", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-17T21:07:10.085Z", + "version": "WzY2MTQwMywxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/37150b25-1c34-494e-8214-b58a5a716c95.json b/packages/tychon/kibana/index_pattern/37150b25-1c34-494e-8214-b58a5a716c95.json new file mode 100644 index 00000000000..a7e06190996 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/37150b25-1c34-494e-8214-b58a5a716c95.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Host CPUs (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_cpu*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:08:35.623Z", + "id": "37150b25-1c34-494e-8214-b58a5a716c95", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:08:35.623Z", + "version": "Wzc5NiwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/39822d3a-870f-4a82-8928-e9264b4d1a31.json b/packages/tychon/kibana/index_pattern/39822d3a-870f-4a82-8928-e9264b4d1a31.json new file mode 100644 index 00000000000..3b2a85f6ad4 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/39822d3a-870f-4a82-8928-e9264b4d1a31.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Network Adapters (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_networkadapter*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:12:13.334Z", + "id": "39822d3a-870f-4a82-8928-e9264b4d1a31", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:12:13.334Z", + "version": "Wzc5OCwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/41d172ee-a0b8-4b20-9c93-6482f0abbdec.json b/packages/tychon/kibana/index_pattern/41d172ee-a0b8-4b20-9c93-6482f0abbdec.json new file mode 100644 index 00000000000..566e97545f4 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/41d172ee-a0b8-4b20-9c93-6482f0abbdec.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Hardware (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_hardware*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:07:03.361Z", + "id": "41d172ee-a0b8-4b20-9c93-6482f0abbdec", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:07:03.361Z", + "version": "Wzc5NSwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/4b420fb2-cf3e-40a2-a8fe-92db1bd570b2.json b/packages/tychon/kibana/index_pattern/4b420fb2-cf3e-40a2-a8fe-92db1bd570b2.json new file mode 100644 index 00000000000..1eec4f2bb4f --- /dev/null +++ b/packages/tychon/kibana/index_pattern/4b420fb2-cf3e-40a2-a8fe-92db1bd570b2.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - ARP (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_arp*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T10:52:54.243Z", + "id": "4b420fb2-cf3e-40a2-a8fe-92db1bd570b2", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T10:52:54.243Z", + "version": "Wzc5MCwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/5be62502-2bab-4d66-97ff-d9373963c50d.json b/packages/tychon/kibana/index_pattern/5be62502-2bab-4d66-97ff-d9373963c50d.json new file mode 100644 index 00000000000..c525296301e --- /dev/null +++ b/packages/tychon/kibana/index_pattern/5be62502-2bab-4d66-97ff-d9373963c50d.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Vulnerability Information (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_cve*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:17:22.732Z", + "id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:17:22.732Z", + "version": "WzgwMCwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/62456a9a-bd4c-4b57-b6b5-5556b6869ce5.json b/packages/tychon/kibana/index_pattern/62456a9a-bd4c-4b57-b6b5-5556b6869ce5.json new file mode 100644 index 00000000000..5380cfbaa18 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/62456a9a-bd4c-4b57-b6b5-5556b6869ce5.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Disk Volumes (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_volume*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-18T17:39:23.422Z", + "id": "62456a9a-bd4c-4b57-b6b5-5556b6869ce5", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-18T17:39:23.422Z", + "version": "WzY4MTg4OCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/6c3bf5e0-0feb-4113-a417-ac5e69cd6e00.json b/packages/tychon/kibana/index_pattern/6c3bf5e0-0feb-4113-a417-ac5e69cd6e00.json new file mode 100644 index 00000000000..d1d488c2e4b --- /dev/null +++ b/packages/tychon/kibana/index_pattern/6c3bf5e0-0feb-4113-a417-ac5e69cd6e00.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Endpoint Protection Status (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_epp*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-06-22T19:32:15.953Z", + "id": "6c3bf5e0-0feb-4113-a417-ac5e69cd6e00", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-06-22T19:32:45.709Z", + "version": "WzI4NTA1MSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/6ce8198c-8c52-4f20-8e68-b566ebf84b18.json b/packages/tychon/kibana/index_pattern/6ce8198c-8c52-4f20-8e68-b566ebf84b18.json new file mode 100644 index 00000000000..36f04a22bd9 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/6ce8198c-8c52-4f20-8e68-b566ebf84b18.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Endpoint Protection Services (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_epp*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:01:55.546Z", + "id": "6ce8198c-8c52-4f20-8e68-b566ebf84b18", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:01:55.546Z", + "version": "Wzc5MiwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/78931842-dc88-45d7-a6ee-d79fb9f615bd.json b/packages/tychon/kibana/index_pattern/78931842-dc88-45d7-a6ee-d79fb9f615bd.json new file mode 100644 index 00000000000..701be17a005 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/78931842-dc88-45d7-a6ee-d79fb9f615bd.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"host.hostname\":{\"count\":2},\"vulnerability.iava\":{\"count\":1},\"vulnerability.id\":{\"count\":2},\"vulnerability.result\":{\"count\":2}}", + "fieldFormatMap": "{\"vulnerability.reference\":{\"id\":\"url\",\"params\":{}}}", + "fields": "[]", + "name": "Vulnerability Data (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_cve*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-06-20T13:44:21.061Z", + "id": "78931842-dc88-45d7-a6ee-d79fb9f615bd", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-06-22T13:18:00.210Z", + "version": "WzI4MDk5OSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/7d972a32-d117-4963-a7bf-58fc65fb1ee8.json b/packages/tychon/kibana/index_pattern/7d972a32-d117-4963-a7bf-58fc65fb1ee8.json new file mode 100644 index 00000000000..4c23b41d562 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/7d972a32-d117-4963-a7bf-58fc65fb1ee8.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - STIG SCAP Results (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_stig*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:15:38.058Z", + "id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:15:38.058Z", + "version": "Wzc5OSwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/8532a0b4-2a02-4dfa-b6aa-aabe01125b61.json b/packages/tychon/kibana/index_pattern/8532a0b4-2a02-4dfa-b6aa-aabe01125b61.json new file mode 100644 index 00000000000..a50be3c86da --- /dev/null +++ b/packages/tychon/kibana/index_pattern/8532a0b4-2a02-4dfa-b6aa-aabe01125b61.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"agent.name\":{\"count\":1},\"tychon.id\":{\"count\":2}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "ARP (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "tychon_arp*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-04-03T15:59:09.464Z", + "id": "8532a0b4-2a02-4dfa-b6aa-aabe01125b61", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-18T13:15:57.463Z", + "version": "WzY3NTUxMCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/9267bb1b-cf22-4417-8cfb-6606848140a7.json b/packages/tychon/kibana/index_pattern/9267bb1b-cf22-4417-8cfb-6606848140a7.json new file mode 100644 index 00000000000..b7a203dafdf --- /dev/null +++ b/packages/tychon/kibana/index_pattern/9267bb1b-cf22-4417-8cfb-6606848140a7.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Host Info [TYCHON]", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_host*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-23T00:22:24.456Z", + "id": "9267bb1b-cf22-4417-8cfb-6606848140a7", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-23T00:22:40.345Z", + "version": "Wzc5NjEzMywyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/a264bf8d-abc3-4789-9f4c-bf76397e06ba.json b/packages/tychon/kibana/index_pattern/a264bf8d-abc3-4789-9f4c-bf76397e06ba.json new file mode 100644 index 00000000000..6fa2f911060 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/a264bf8d-abc3-4789-9f4c-bf76397e06ba.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Host CPUs (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_cpu*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-17T22:16:32.434Z", + "id": "a264bf8d-abc3-4789-9f4c-bf76397e06ba", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-17T22:16:32.434Z", + "version": "WzY2MzMzNiwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/a57870ef-07d8-4d12-a067-8c66eefd10ca.json b/packages/tychon/kibana/index_pattern/a57870ef-07d8-4d12-a067-8c66eefd10ca.json new file mode 100644 index 00000000000..94b023c72b4 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/a57870ef-07d8-4d12-a067-8c66eefd10ca.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Hardware (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_hardware*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-18T19:57:22.691Z", + "id": "a57870ef-07d8-4d12-a067-8c66eefd10ca", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-18T19:57:22.691Z", + "version": "WzY4MzgwMCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/a61d021d-d78f-485d-93b2-8075149794af.json b/packages/tychon/kibana/index_pattern/a61d021d-d78f-485d-93b2-8075149794af.json new file mode 100644 index 00000000000..0c3f5bb5bed --- /dev/null +++ b/packages/tychon/kibana/index_pattern/a61d021d-d78f-485d-93b2-8075149794af.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Host Info (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_host*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:10:11.104Z", + "id": "a61d021d-d78f-485d-93b2-8075149794af", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:10:11.104Z", + "version": "Wzc5NywyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/b006641c-69de-48bd-9a5a-1125f0da1c0b.json b/packages/tychon/kibana/index_pattern/b006641c-69de-48bd-9a5a-1125f0da1c0b.json new file mode 100644 index 00000000000..5d8c5b3aaa2 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/b006641c-69de-48bd-9a5a-1125f0da1c0b.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Exposed Services (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_exposedservice*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:03:43.470Z", + "id": "b006641c-69de-48bd-9a5a-1125f0da1c0b", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:03:43.470Z", + "version": "Wzc5MywyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/bb5226cd-c099-46d2-bb71-0257232c7d82.json b/packages/tychon/kibana/index_pattern/bb5226cd-c099-46d2-bb71-0257232c7d82.json new file mode 100644 index 00000000000..945bd38e235 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/bb5226cd-c099-46d2-bb71-0257232c7d82.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"event.dataset\":{\"count\":1}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "All TYCHON Logs (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-04-05T12:18:33.104Z", + "id": "bb5226cd-c099-46d2-bb71-0257232c7d82", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-04-05T12:59:43.059Z", + "version": "WzI1OTI3LDNd" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/c6b645d3-dd29-43f2-b831-49e29ffd5b6c.json b/packages/tychon/kibana/index_pattern/c6b645d3-dd29-43f2-b831-49e29ffd5b6c.json new file mode 100644 index 00000000000..a0e117c3ead --- /dev/null +++ b/packages/tychon/kibana/index_pattern/c6b645d3-dd29-43f2-b831-49e29ffd5b6c.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Exposed Services (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_exposedservice*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-17T13:10:42.315Z", + "id": "c6b645d3-dd29-43f2-b831-49e29ffd5b6c", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-17T13:10:42.315Z", + "version": "WzY0Mjg1OCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/df491fbb-3f09-4ab0-995a-c2c549a9bc21.json b/packages/tychon/kibana/index_pattern/df491fbb-3f09-4ab0-995a-c2c549a9bc21.json new file mode 100644 index 00000000000..1a1178df71e --- /dev/null +++ b/packages/tychon/kibana/index_pattern/df491fbb-3f09-4ab0-995a-c2c549a9bc21.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"event.provider\":{\"count\":1}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Windows Application Logs (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "logs-system.application*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-06-21T13:44:35.159Z", + "id": "df491fbb-3f09-4ab0-995a-c2c549a9bc21", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-06-21T13:45:32.456Z", + "version": "WzI2NzU5NSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/e0015160-781d-4885-9ae6-04230d059bfb.json b/packages/tychon/kibana/index_pattern/e0015160-781d-4885-9ae6-04230d059bfb.json new file mode 100644 index 00000000000..8efc6791749 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/e0015160-781d-4885-9ae6-04230d059bfb.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Software Inventory (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_softwareinventory*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-18T19:23:20.043Z", + "id": "e0015160-781d-4885-9ae6-04230d059bfb", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-18T19:23:20.043Z", + "version": "WzY4MzE0MiwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/e886429e-9532-4f44-bb36-6465fe760866.json b/packages/tychon/kibana/index_pattern/e886429e-9532-4f44-bb36-6465fe760866.json new file mode 100644 index 00000000000..35dc1490219 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/e886429e-9532-4f44-bb36-6465fe760866.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"tychon.id\":{\"count\":1}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "Network Adapters (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_networkadapter*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-18T19:11:21.754Z", + "id": "e886429e-9532-4f44-bb36-6465fe760866", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-08-18T22:15:54.140Z", + "version": "WzY5MDAzMywxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/eb4dc1c4-9f76-4b3c-976c-fc1575288e2d.json b/packages/tychon/kibana/index_pattern/eb4dc1c4-9f76-4b3c-976c-fc1575288e2d.json new file mode 100644 index 00000000000..c8ac4c372e6 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/eb4dc1c4-9f76-4b3c-976c-fc1575288e2d.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Hard Drives (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_harddrive*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:05:32.346Z", + "id": "eb4dc1c4-9f76-4b3c-976c-fc1575288e2d", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:05:32.346Z", + "version": "Wzc5NCwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a.json b/packages/tychon/kibana/index_pattern/ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a.json new file mode 100644 index 00000000000..04fa130eb20 --- /dev/null +++ b/packages/tychon/kibana/index_pattern/ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "fieldAttrs": "{\"STIG_ID\":{\"count\":3},\"rule.id\":{\"count\":2},\"VULN_ID\":{\"count\":2},\"rule.result.score\":{\"count\":2},\"benchmark.name\":{\"count\":1},\"rule.finding_id\":{\"count\":1},\"rule.result\":{\"count\":1}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "STIG SCAP Results (TYCHON)", + "runtimeFieldMap": "{\"STIG_ID\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc[\\\"rule.id\\\"].length \u003e 0){\\r\\n def rule_id = doc[\\\"rule.id\\\"].value;\\r\\nif (rule_id == ''){\\r\\n def rule_name = doc[\\\"rule.name\\\"].value.replace('xccdf_mil.disa.stig_rule_','');\\r\\n def iof = rule_name.indexOf('r');\\r\\n emit(rule_name.substring(0, iof))\\r\\n}else{\\r\\n emit(rule_id)\\r\\n}\\r\\n\\r\\n}\\r\\nelse{\\r\\n emit(\\\"\\\")\\r\\n}\"}},\"VULN_ID\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc[\\\"rule.id\\\"].length \u003e 0){\\r\\n def rule_id = doc[\\\"rule.id\\\"].value;\\r\\nif (rule_id == ''){\\r\\n def rule_name = doc[\\\"rule.name\\\"].value.replace('xccdf_mil.disa.stig_rule_','');\\r\\n def iof = rule_name.indexOf('r');\\r\\n emit(rule_name.substring(0, iof))\\r\\n}else{\\r\\n emit(rule_id)\\r\\n}\\r\\n\\r\\n}\\r\\nelse{\\r\\n emit(\\\"\\\")\\r\\n}\"}},\"rule.result.score\":{\"type\":\"long\",\"script\":{\"source\":\"if (doc[\\\"rule.result\\\"].length \u003e 0){\\r\\n if (doc[\\\"rule.result\\\"].value == \\\"fail\\\"){\\r\\n emit(10)\\r\\n }else{\\r\\n emit(0)\\r\\n }\\r\\n \\r\\n}\"}},\"benchmarkname\":{\"type\":\"keyword\",\"script\":{\"source\":\"if (doc[\\\"benchmark.name\\\"].length \u003e 0){\\r\\n def namesplit = doc[\\\"benchmark.name\\\"].value.replace(\\\"scap_mil.disa.stig_cref_U_\\\",\\\"\\\").replace(\\\"_STIG_SCAP_1-2_Benchmark-xccdf.xml\\\", \\\"\\\");\\r\\n emit(namesplit);\\r\\n}\\r\\n\\r\\n\\r\\n\"}}}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": "tychon_stig*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-06-20T13:50:39.404Z", + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "managed": true, + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2023-06-21T19:05:32.364Z", + "version": "WzI3NDQxOCwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/index_pattern/f215a0b2-b613-4a33-9959-cd7e34b1a1e2.json b/packages/tychon/kibana/index_pattern/f215a0b2-b613-4a33-9959-cd7e34b1a1e2.json new file mode 100644 index 00000000000..0813966614a --- /dev/null +++ b/packages/tychon/kibana/index_pattern/f215a0b2-b613-4a33-9959-cd7e34b1a1e2.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "fieldAttrs": "{}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "HISTORICAL - Software Inventory (TYCHON)", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "event.ingested", + "title": "logs-tychon.tychon_softwareinventory*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T11:15:38.058Z", + "id": "f215a0b2-b613-4a33-9959-cd7e34b1a1e2", + "managed": true, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-08-30T11:15:38.058Z", + "version": "Wzc5OSwyXQ==" +} \ No newline at end of file diff --git a/packages/tychon/kibana/lens/tychon-1d1b99c0-c3e4-11eb-8956-0b1a70e695fd.json b/packages/tychon/kibana/lens/tychon-1d1b99c0-c3e4-11eb-8956-0b1a70e695fd.json new file mode 100644 index 00000000000..fe3fde918ed --- /dev/null +++ b/packages/tychon/kibana/lens/tychon-1d1b99c0-c3e4-11eb-8956-0b1a70e695fd.json @@ -0,0 +1,203 @@ +{ + "attributes": { + "description": null, + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d985e735-8ce6-4cee-acea-2df5ee48fc05": { + "columnOrder": [ + "4692dda1-54b4-4b3f-8e76-20708e22e1ab", + "adde9065-5817-4ddc-b340-d71519a94995", + "edb01db2-fa13-4ba2-9971-d96b5d42e47e" + ], + "columns": { + "4692dda1-54b4-4b3f-8e76-20708e22e1ab": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Results and Severity", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.severity" + }, + "adde9065-5817-4ddc-b340-d71519a94995": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of rule.result", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "edb01db2-fa13-4ba2-9971-d96b5d42e47e", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.result" + }, + "edb01db2-fa13-4ba2-9971-d96b5d42e47e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Results", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + }, + "dc42e337-08a9-4623-b480-57aaf4e69a0e": { + "columnOrder": [ + "bef1ef67-b5fb-4177-9077-17be73a0c360", + "32dece06-5eb5-45bd-9a70-e7d623409d89", + "628defec-6d4e-4df0-be5a-d58b051d5bb1" + ], + "columns": { + "32dece06-5eb5-45bd-9a70-e7d623409d89": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of rule.result", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "628defec-6d4e-4df0-be5a-d58b051d5bb1", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.result" + }, + "628defec-6d4e-4df0-be5a-d58b051d5bb1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bef1ef67-b5fb-4177-9077-17be73a0c360": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of rule.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "628defec-6d4e-4df0-be5a-d58b051d5bb1", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "edb01db2-fa13-4ba2-9971-d96b5d42e47e" + ], + "layerId": "d985e735-8ce6-4cee-acea-2df5ee48fc05", + "layerType": "data", + "palette": { + "name": "complimentary", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_horizontal_percentage_stacked", + "showGridlines": false, + "splitAccessor": "adde9065-5817-4ddc-b340-d71519a94995", + "xAccessor": "4692dda1-54b4-4b3f-8e76-20708e22e1ab" + }, + { + "accessors": [ + "628defec-6d4e-4df0-be5a-d58b051d5bb1" + ], + "layerId": "dc42e337-08a9-4623-b480-57aaf4e69a0e", + "layerType": "data", + "palette": { + "name": "complimentary", + "type": "palette" + }, + "seriesType": "bar_horizontal_percentage_stacked", + "splitAccessor": "bef1ef67-b5fb-4177-9077-17be73a0c360", + "xAccessor": "32dece06-5eb5-45bd-9a70-e7d623409d89" + } + ], + "legend": { + "isVisible": false, + "legendSize": "auto", + "position": "left", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_percentage_stacked", + "title": "Empty XY chart" + } + }, + "title": "CCRI: Rule Results by Severity Percentage - Lens", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-06-28T13:11:33.495Z", + "id": "tychon-1d1b99c0-c3e4-11eb-8956-0b1a70e695fd", + "migrationVersion": { + "lens": "8.6.0" + }, + "references": [ + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "indexpattern-datasource-layer-d985e735-8ce6-4cee-acea-2df5ee48fc05", + "type": "index-pattern" + }, + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "indexpattern-datasource-layer-dc42e337-08a9-4623-b480-57aaf4e69a0e", + "type": "index-pattern" + } + ], + "type": "lens", + "updated_at": "2023-06-28T13:11:33.495Z", + "version": "WzMyOTA4NSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27.json b/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..aecfd32fecc --- /dev/null +++ b/packages/tychon/kibana/security_rule/10359860-1139-11ee-af86-538da1394f27.json @@ -0,0 +1,54 @@ +{ + "id": "10359860-1139-11ee-af86-538da1394f27", + "type": "security-rule", + "attributes": { + "name": "CAT 1 IAVA Vulnerability Detected", + "tags": [ + "TYCHON", + "CVE", + "CCRI" + ], + "interval": "5m", + "enabled": true, + "description": "A category one IAVA has been detected as being vulnerable", + "risk_score": 90, + "severity": "high", + "note": "Investigator should work to patch this system for this IAVA as quickly as possible.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "10359860-1139-11ee-af86-538da1394f27", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "query": "vulnerability.iava_severity : \"CAT I\" and vulnerability.result : \"fail\" ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/2140f083-6e39-4df4-ba41-aa1f41cb81b8.json b/packages/tychon/kibana/security_rule/2140f083-6e39-4df4-ba41-aa1f41cb81b8.json new file mode 100644 index 00000000000..cfd43cee0d1 --- /dev/null +++ b/packages/tychon/kibana/security_rule/2140f083-6e39-4df4-ba41-aa1f41cb81b8.json @@ -0,0 +1,60 @@ +{ + "id": "2140f083-6e39-4df4-ba41-aa1f41cb81b8", + "type": "security-rule", + "attributes": { + "name": "High number of SCAP Failures", + "tags": [ + "TYCHON", + "CCRI" + ], + "interval": "1h", + "enabled": true, + "description": "TYCHON has reported a high number of SCAP failures for an endpoint. This can indicate a very weak security posture for an endpoint.", + "risk_score": 47, + "severity": "medium", + "note": "The system may need to be isolated. Investigate the SCAP results for this system and perform fixes for all High and Medium checks. ", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-3660s", + "rule_id": "2140f083-6e39-4df4-ba41-aa1f41cb81b8", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "reference": "https://attack.mitre.org/tactics/TA0007", + "name": "Discovery" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "threshold", + "language": "kuery", + "data_view_id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "query": "rule.result : \"fail\" and not rule.severity : \"low\" ", + "filters": [], + "threshold": { + "field": [ + "tychon.id" + ], + "value": 20, + "cardinality": [] + }, + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27.json b/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..f2367efc402 --- /dev/null +++ b/packages/tychon/kibana/security_rule/2e5a7e20-1137-11ee-af86-538da1394f27.json @@ -0,0 +1,61 @@ +{ + "id": "2e5a7e20-1137-11ee-af86-538da1394f27", + "type": "security-rule", + "attributes": { + "name": "Windows Defender Feature Reported as Disabled", + "tags": [ + "TYCHON", + "EPP", + "CCRI" + ], + "interval": "5m", + "enabled": true, + "description": "A Feature in Windows Defender has been set to disabled in the latest report from the TYCHON Agentless Module", + "risk_score": 60, + "severity": "medium", + "note": "Analysts should look into the history of this endpoint to figure out when the feature was disabled and work to re-enable the feature.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "2e5a7e20-1137-11ee-af86-538da1394f27", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "reference": "https://attack.mitre.org/tactics/TA0005", + "name": "Defense Evasion" + }, + "technique": [ + { + "id": "T1089", + "reference": "https://attack.mitre.org/techniques/T1089", + "name": "Disabling Security Tools", + "subtechnique": [] + } + ] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "6ce8198c-8c52-4f20-8e68-b566ebf84b18", + "query": "windows_defender.service.antimalware.status : \"Disabled\" or windows_defender.service.antispyware.status :\"Disabled\" or windows_defender.service.antivirus.status : \"Disabled\" or windows_defender.service.behavior_monitor.status : \"Disabled\" or windows_defender.service.ioav_protection.status : \"Disabled\" or windows_defender.service.nis.status : \"Disabled\" or windows_defender.service.on_access_protection.status : \"Disabled\" or windows_defender.service.real_time_protection.status : \"Disabled\" ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27.json b/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..33a866d7a7c --- /dev/null +++ b/packages/tychon/kibana/security_rule/2e9c9ac0-1138-11ee-af86-538da1394f27.json @@ -0,0 +1,54 @@ +{ + "id": "2e9c9ac0-1138-11ee-af86-538da1394f27", + "type": "security-rule", + "attributes": { + "name": "Critical Vulnerability Failed", + "tags": [ + "TYCHON", + "CCRI", + "CVE" + ], + "interval": "5m", + "enabled": true, + "description": "A vulnerability that has been categorized as Critical by NVD has been reported as failed.", + "risk_score": 90, + "severity": "high", + "note": "Investigators should get systems with critical vulnerabilities patched and ensure mitigations are in place while the system is vulenrable.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "2e9c9ac0-1138-11ee-af86-538da1394f27", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "query": "vulnerability.severity :\"CRITICAL\" and vulnerability.result : \"fail\" ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/55faa99b-ce17-4a41-9f63-4a7439e3543a.json b/packages/tychon/kibana/security_rule/55faa99b-ce17-4a41-9f63-4a7439e3543a.json new file mode 100644 index 00000000000..b019ca5a060 --- /dev/null +++ b/packages/tychon/kibana/security_rule/55faa99b-ce17-4a41-9f63-4a7439e3543a.json @@ -0,0 +1,57 @@ +{ + "id": "55faa99b-ce17-4a41-9f63-4a7439e3543a", + "type": "security-rule", + "attributes": { + "name": "New Device Discovered", + "tags": [ + "TYCHON", + "ARP" + ], + "interval": "8h", + "enabled": false, + "description": "TYCHON pulls the ARP tables from endpoints, when new devices are found they should be investigated and validated.", + "risk_score": 21, + "severity": "low", + "note": "New devices come online and offline constantly, the MAC address should be investigated and resolved.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-32400s", + "rule_id": "55faa99b-ce17-4a41-9f63-4a7439e3543a", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0007", + "reference": "https://attack.mitre.org/tactics/TA0007", + "name": "Discovery" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "new_terms", + "query": "not destination.mac : \"ff-ff-ff-ff-ff-ff\" ", + "new_terms_fields": [ + "destination.mac" + ], + "history_window_start": "now-7d", + "filters": [], + "language": "kuery", + "data_view_id": "4b420fb2-cf3e-40a2-a8fe-92db1bd570b2", + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/5be38411-3902-4686-8209-1ab75a6d3847.json b/packages/tychon/kibana/security_rule/5be38411-3902-4686-8209-1ab75a6d3847.json new file mode 100644 index 00000000000..56b2a029381 --- /dev/null +++ b/packages/tychon/kibana/security_rule/5be38411-3902-4686-8209-1ab75a6d3847.json @@ -0,0 +1,60 @@ +{ + "id": "5be38411-3902-4686-8209-1ab75a6d3847", + "type": "security-rule", + "attributes": { + "name": "Large number of failed Vulnerabilities ", + "tags": [ + "CVE", + "TYCHON" + ], + "interval": "1h", + "enabled": true, + "description": "This endpoint has been determined to have a high number of total vulnerabilities failed, this can indicate an extremely exposed endpoint.", + "risk_score": 73, + "severity": "high", + "note": "Due to the high number of failed CVE checks, it is recommended that the security administrator quarantine this system immediately and bring the machine up to date with all patches. ", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-3900s", + "rule_id": "5be38411-3902-4686-8209-1ab75a6d3847", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "threshold", + "language": "kuery", + "data_view_id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "query": "vulnerability.result : \"fail\" ", + "filters": [], + "threshold": { + "field": [ + "tychon.id" + ], + "value": 30, + "cardinality": [] + }, + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7.json b/packages/tychon/kibana/security_rule/6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7.json new file mode 100644 index 00000000000..79d17783d16 --- /dev/null +++ b/packages/tychon/kibana/security_rule/6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7.json @@ -0,0 +1,45 @@ +{ + "id": "6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7", + "type": "security-rule", + "attributes": { + "name": "TYCHON Benchmark SCAP Definition File Out of Date", + "tags": [ + "TYCHON", + "SCAP" + ], + "interval": "24h", + "enabled": true, + "description": "TYCHON updates its SCAP definitions daily and should be no more than 120 days old to ensure you are working from the most up-to-date requirements and settings. ", + "risk_score": 47, + "severity": "medium", + "note": "TYCHON Definitions are updated daily, check the local host logs and see if there are issues with TYCHON definitions updating. You can obtain the latest version from the TYCHON support site.\n\nhttps://support.tychon.io", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-86460s", + "rule_id": "6040cb5c-5e01-4f4d-af7f-9ca9c11dbdc7", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [ + "https://support.tychon.io" + ], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "a61d021d-d78f-485d-93b2-8075149794af", + "query": "tychon.definition.stig \u003c \"now-120d\"", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/6839b82b-22bf-418f-a86b-7e7a4cd074d7.json b/packages/tychon/kibana/security_rule/6839b82b-22bf-418f-a86b-7e7a4cd074d7.json new file mode 100644 index 00000000000..bf685e52528 --- /dev/null +++ b/packages/tychon/kibana/security_rule/6839b82b-22bf-418f-a86b-7e7a4cd074d7.json @@ -0,0 +1,53 @@ +{ + "id": "6839b82b-22bf-418f-a86b-7e7a4cd074d7", + "type": "security-rule", + "attributes": { + "name": "Endpoint Security Definitions are Out of Date", + "tags": [ + "EPP", + "TYCHON" + ], + "interval": "5m", + "enabled": true, + "description": "TYCHON has reported that the registered endpoint protection platform is out of date and needs to be updated.", + "risk_score": 73, + "severity": "high", + "note": "Depending on the Endpoint Protection Vendor, you will need to push new updated to this endpoint. See the vendor's user guides to determine how to install the most recent AV updates.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "6839b82b-22bf-418f-a86b-7e7a4cd074d7", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "reference": "https://attack.mitre.org/tactics/TA0005", + "name": "Defense Evasion" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "a61d021d-d78f-485d-93b2-8075149794af", + "query": "host.security.antivirus.status : *OutOfDate*", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a.json b/packages/tychon/kibana/security_rule/6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a.json new file mode 100644 index 00000000000..d96a3466872 --- /dev/null +++ b/packages/tychon/kibana/security_rule/6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a.json @@ -0,0 +1,55 @@ +{ + "id": "6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a", + "type": "security-rule", + "attributes": { + "name": "TPM Compliance Failed", + "tags": [ + "TYCHON", + "STIG" + ], + "interval": "5m", + "enabled": true, + "description": "This host has been determined by TYCHON to be non-compliant with the Trusted Platform Module (TPM), this is due to it being not present or at the wrong version.", + "risk_score": 47, + "severity": "medium", + "note": "Enable TPM 2.0 on this machine, if it is unable to be enabled because the host does not support it, determine the risk and take appropriate measures.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "6d34f6dc-4a36-46cd-a4bb-ea2f1a01ab8a", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0006", + "reference": "https://attack.mitre.org/tactics/TA0006", + "name": "Credential Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [ + "https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c" + ], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "a61d021d-d78f-485d-93b2-8075149794af", + "query": "host.tpm.compliant : false ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27.json b/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..3e015aa8fe1 --- /dev/null +++ b/packages/tychon/kibana/security_rule/867e3450-1139-11ee-af86-538da1394f27.json @@ -0,0 +1,53 @@ +{ + "id": "867e3450-1139-11ee-af86-538da1394f27", + "type": "security-rule", + "attributes": { + "name": "High STIG/SCAP Check Failed", + "tags": [ + "TYCHON", + "CCRI", + "SCAP" + ], + "interval": "5m", + "enabled": true, + "description": "A High Severity STIG/SCAP Check failed on an endpoint.", + "risk_score": 60, + "severity": "medium", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "867e3450-1139-11ee-af86-538da1394f27", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "7d972a32-d117-4963-a7bf-58fc65fb1ee8", + "query": "rule.result : \"fail\" and rule.severity : \"high\" ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27.json b/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..af84db91b34 --- /dev/null +++ b/packages/tychon/kibana/security_rule/934a39a0-1138-11ee-af86-538da1394f27.json @@ -0,0 +1,54 @@ +{ + "id": "934a39a0-1138-11ee-af86-538da1394f27", + "type": "security-rule", + "attributes": { + "name": "High Vulnerability Failed", + "tags": [ + "TYCHON", + "CVE", + "CCRI" + ], + "interval": "5m", + "enabled": true, + "description": "A host with a high-severity CVE was flagged as being vulnerable.", + "risk_score": 60, + "severity": "medium", + "note": "Investigator should work to resolve this patch and keep a close monitor on this endpoint.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "934a39a0-1138-11ee-af86-538da1394f27", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "query": "vulnerability.severity :\"HIGH\" and vulnerability.result : \"fail\" ", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/bdf083c5-63cb-41ae-bb7a-563cc4e8719f.json b/packages/tychon/kibana/security_rule/bdf083c5-63cb-41ae-bb7a-563cc4e8719f.json new file mode 100644 index 00000000000..f16dc5c4279 --- /dev/null +++ b/packages/tychon/kibana/security_rule/bdf083c5-63cb-41ae-bb7a-563cc4e8719f.json @@ -0,0 +1,54 @@ +{ + "id": "bdf083c5-63cb-41ae-bb7a-563cc4e8719f", + "type": "security-rule", + "attributes": { + "name": "Weak WIFI Authentication in use", + "tags": [ + "TYCHON", + "WIFI" + ], + "interval": "5m", + "enabled": true, + "description": "An endpoint has reported it is connected to a WIFI SSID using a weak Authentication method.", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "bdf083c5-63cb-41ae-bb7a-563cc4e8719f", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0005", + "reference": "https://attack.mitre.org/tactics/TA0005", + "name": "Defense Evasion" + }, + "technique": [] + } + ], + "to": "now", + "references": [ + "https://www.techtarget.com/searchnetworking/feature/Wireless-encryption-basics-Understanding-WEP-WPA-and-WPA2" + ], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "39822d3a-870f-4a82-8928-e9264b4d1a31", + "query": "host.adapter.wifi.authentication : \"WEP\" or host.adapter.wifi.authentication : \"WPA\" or host.adapter.wifi.authentication : \"WPA-Personal\" or host.adapter.wifi.authentication : \"WPA-Enterprise\"", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/beeea32f-31ba-4be8-9e2c-14de47280aac.json b/packages/tychon/kibana/security_rule/beeea32f-31ba-4be8-9e2c-14de47280aac.json new file mode 100644 index 00000000000..d8b3fd0205f --- /dev/null +++ b/packages/tychon/kibana/security_rule/beeea32f-31ba-4be8-9e2c-14de47280aac.json @@ -0,0 +1,56 @@ +{ + "id": "beeea32f-31ba-4be8-9e2c-14de47280aac", + "type": "security-rule", + "attributes": { + "name": "Past Due Vulnerability Failed", + "tags": [ + "TYCHON", + "CVE", + "CCRI" + ], + "interval": "5m", + "enabled": true, + "description": "TYCHON tracks when vulnerabilities are past expiration to ensure systems are patched before exploits are released or to reduce the attack surface of the endpoint. Due dates are generated from 3 rules:\n1. CISA - Exact CISA Due Date\n2. IAVA - 18 Days from when TYCHON records an IAVA is released\n3. NVD - If a Vulnerability is marked as critical, the due date is generated as 30 days after its release.", + "risk_score": 99, + "severity": "critical", + "note": "Analysts should quarantine hosts that have out-of-date vulnerabilities, these are normally weaknesses that have active exploits in the wild. ", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "beeea32f-31ba-4be8-9e2c-14de47280aac", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0001", + "reference": "https://attack.mitre.org/tactics/TA0001", + "name": "Initial Access" + }, + "technique": [] + } + ], + "to": "now", + "references": [ + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" + ], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "5be62502-2bab-4d66-97ff-d9373963c50d", + "query": "vulnerability.result : \"fail\" and vulnerability.due_date \u003c now", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/c40eaba1-7507-4fe7-aae5-78e59cd7b8f2.json b/packages/tychon/kibana/security_rule/c40eaba1-7507-4fe7-aae5-78e59cd7b8f2.json new file mode 100644 index 00000000000..d2f91e13c06 --- /dev/null +++ b/packages/tychon/kibana/security_rule/c40eaba1-7507-4fe7-aae5-78e59cd7b8f2.json @@ -0,0 +1,45 @@ +{ + "id": "c40eaba1-7507-4fe7-aae5-78e59cd7b8f2", + "type": "security-rule", + "attributes": { + "name": "TYCHON Vulnerability Definitions Out of Date", + "tags": [ + "TYCHON", + "CVE" + ], + "interval": "5m", + "enabled": true, + "description": "TYCHON updates its definitions daily for vulnerability checks, if systems are too far out of date you are not getting the results for the most recent vulnerabilities further affecting your attack surface.", + "risk_score": 73, + "severity": "high", + "note": "Review the endpoint event logs and determine why TYCHON definitions are not being updated and pushed. Ensure you have downloaded the latest definition installers from the TYCHON support site.\n\nhttps://support.tychon.io", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "c40eaba1-7507-4fe7-aae5-78e59cd7b8f2", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [ + "https://support.tychon.io" + ], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "a61d021d-d78f-485d-93b2-8075149794af", + "query": "tychon.definition.oval \u003c \"now-30d\"", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/ccffb8f0-601f-46f6-8ae9-ab8af5e6bbf4.json b/packages/tychon/kibana/security_rule/ccffb8f0-601f-46f6-8ae9-ab8af5e6bbf4.json new file mode 100644 index 00000000000..58ca78d4f1e --- /dev/null +++ b/packages/tychon/kibana/security_rule/ccffb8f0-601f-46f6-8ae9-ab8af5e6bbf4.json @@ -0,0 +1,65 @@ +{ + "id": "ccffb8f0-601f-46f6-8ae9-ab8af5e6bbf4", + "type": "security-rule", + "attributes": { + "name": "New Command Generated a Listening port", + "tags": [ + "TYCHON", + "Exposed Services" + ], + "interval": "1h", + "enabled": false, + "description": "TYCHON is monitoring endpoints for ports that have been opened at the endpoint, if a new command line was used to start a process that hasn't been seen before this can be cause for concern.", + "risk_score": 47, + "severity": "medium", + "note": "Investigate the endpoint process that was used to open this port", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-3660s", + "rule_id": "ccffb8f0-601f-46f6-8ae9-ab8af5e6bbf4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0011", + "reference": "https://attack.mitre.org/tactics/TA0011", + "name": "Command and Control" + }, + "technique": [ + { + "id": "T1065", + "reference": "https://attack.mitre.org/techniques/T1065", + "name": "Uncommonly Used Port", + "subtechnique": [] + } + ] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "new_terms", + "query": "process.command_line : *", + "new_terms_fields": [ + "source.port", + "process.command_line" + ], + "history_window_start": "now-7d", + "filters": [], + "language": "kuery", + "data_view_id": "b006641c-69de-48bd-9a5a-1125f0da1c0b", + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/security_rule/d0d735ed-08fe-4393-9aa6-120236995152.json b/packages/tychon/kibana/security_rule/d0d735ed-08fe-4393-9aa6-120236995152.json new file mode 100644 index 00000000000..bc6dca8c638 --- /dev/null +++ b/packages/tychon/kibana/security_rule/d0d735ed-08fe-4393-9aa6-120236995152.json @@ -0,0 +1,53 @@ +{ + "id": "d0d735ed-08fe-4393-9aa6-120236995152", + "type": "security-rule", + "attributes": { + "name": "System Volume Mounted to Drive", + "tags": [ + "TYCHON", + "Volume" + ], + "interval": "5m", + "enabled": true, + "description": "TYCHON has reported that the system volume has been mounted to a drive letter.", + "risk_score": 47, + "severity": "medium", + "note": "Investigate and determine how the drive was mounted and remove the mount if it was done maliciously.", + "license": "", + "output_index": "", + "author": [ + "TYCHON" + ], + "false_positives": [], + "from": "now-360s", + "rule_id": "d0d735ed-08fe-4393-9aa6-120236995152", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [ + { + "framework": "MITRE ATT\u0026CK", + "tactic": { + "id": "TA0004", + "reference": "https://attack.mitre.org/tactics/TA0004", + "name": "Privilege Escalation" + }, + "technique": [] + } + ], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "related_integrations": [], + "required_fields": [], + "setup": "", + "type": "query", + "language": "kuery", + "data_view_id": "02acfb43-5302-4331-bb10-4174171f6091", + "query": "volume.system_volume : true and not volume.drive.letter : \"\"", + "filters": [], + "throttle": "no_actions", + "actions": [] + } +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-026431f0-3de5-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-026431f0-3de5-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..70c29e83076 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-026431f0-3de5-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#13814a", + "description": "TYCHON reported TCP and UDP ports that are or were open and listening on endpoints.", + "name": "Open Ports" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-18T16:33:49.204Z", + "id": "tychon-026431f0-3de5-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-18T16:33:49.204Z", + "version": "WzY4MDI0OCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-11990b80-41b6-11ee-83e4-c92ed141b9e5.json b/packages/tychon/kibana/tag/tychon-11990b80-41b6-11ee-83e4-c92ed141b9e5.json new file mode 100644 index 00000000000..7a9cf643a5e --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-11990b80-41b6-11ee-83e4-c92ed141b9e5.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#9b2767", + "description": "TYCHON capture of Network adapters attached to endpoints.", + "name": "Network Adapter" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T13:07:53.023Z", + "id": "tychon-11990b80-41b6-11ee-83e4-c92ed141b9e5", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-23T13:07:53.023Z", + "version": "WzgwNjc5OSwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-27edf330-3dfd-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-27edf330-3dfd-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..97f75700480 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-27edf330-3dfd-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#c30936", + "description": "TYCHON installed software and apps found on an endpoint.", + "name": "Applications" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-18T19:26:40.105Z", + "id": "tychon-27edf330-3dfd-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-18T19:26:40.105Z", + "version": "WzY4MzIzMiwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-39b55820-10f2-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/tychon-39b55820-10f2-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..5e7abb98d8a --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-39b55820-10f2-11ee-af86-538da1394f27.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#2075cf", + "description": "A Command Cyber Readiness Inspection Report", + "name": "CCRI" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-06-22T11:45:03.146Z", + "id": "tychon-39b55820-10f2-11ee-af86-538da1394f27", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-06-22T11:45:03.146Z", + "version": "WzI3Njg3MSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..4686ef9991e --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#75899c", + "description": "This tag indicates a \"Starting Point\" for dashboards that utulize drill downs.", + "name": "TYCHON Primary View" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-18T12:04:15.710Z", + "id": "tychon-5a3ae0c0-3dbf-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-18T12:04:15.710Z", + "version": "WzY3MzY3MCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..ea07996e48a --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#154a15", + "description": "The hardware detected by TYCHON as attached to an endpoint", + "name": "Hardware" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-18T20:04:47.768Z", + "id": "tychon-7b7ab4c0-3e02-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-18T20:04:47.768Z", + "version": "WzY4NDA2NCwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-7f851220-3d41-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-7f851220-3d41-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..4bb083d8b89 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-7f851220-3d41-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#85ed08", + "description": "Hard Drives on Computers", + "name": "Drives" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-17T21:03:21.673Z", + "id": "tychon-7f851220-3d41-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-17T21:03:21.673Z", + "version": "WzY2MTI0MSwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-9c222660-1100-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/tychon-9c222660-1100-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..41c4144285c --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-9c222660-1100-11ee-af86-538da1394f27.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#58b7ff", + "description": "Vulnerability Information", + "name": "CVE" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-06-22T13:28:01.234Z", + "id": "tychon-9c222660-1100-11ee-af86-538da1394f27", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-06-22T13:28:01.234Z", + "version": "WzI4MTM1OSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-a3922360-3de6-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-a3922360-3de6-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..d327204d266 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-a3922360-3de6-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#efe009", + "description": "The TYCHON Endpoint Browser allows a user to see detailed Endpoint Reported data for a single host.", + "name": "Endpoint Browser" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-18T16:45:29.125Z", + "id": "tychon-a3922360-3de6-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-18T16:45:29.125Z", + "version": "WzY4MDQ3NSwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-bae88930-1133-11ee-af86-538da1394f27.json b/packages/tychon/kibana/tag/tychon-bae88930-1133-11ee-af86-538da1394f27.json new file mode 100644 index 00000000000..16caf7e9913 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-bae88930-1133-11ee-af86-538da1394f27.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#14d15e", + "description": "Endpoint Protection Statuses", + "name": "EPP" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-06-22T19:33:57.192Z", + "id": "tychon-bae88930-1133-11ee-af86-538da1394f27", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-06-22T19:33:57.192Z", + "version": "WzI4NTA4OSwxM10=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-c957d710-3d4c-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-c957d710-3d4c-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..61c4fd9b410 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-c957d710-3d4c-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#AA6556", + "description": "Routing Tables from Systems", + "name": "ARP" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-17T22:24:09.990Z", + "id": "tychon-c957d710-3d4c-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-17T22:24:09.990Z", + "version": "WzY2MzYyNiwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-e18d6100-3c85-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-e18d6100-3c85-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..89ae180af87 --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-e18d6100-3c85-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#afaddf", + "description": "Master Endpoint Record", + "name": "MER" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-16T22:40:20.761Z", + "id": "tychon-e18d6100-3c85-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-16T22:40:20.761Z", + "version": "WzYzNTA3MSwxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/tag/tychon-f26ce820-3d47-11ee-9610-15dee918f31a.json b/packages/tychon/kibana/tag/tychon-f26ce820-3d47-11ee-9610-15dee918f31a.json new file mode 100644 index 00000000000..7e59dbc91ad --- /dev/null +++ b/packages/tychon/kibana/tag/tychon-f26ce820-3d47-11ee-9610-15dee918f31a.json @@ -0,0 +1,17 @@ +{ + "attributes": { + "color": "#bcbc9c", + "description": "Virtualization Based Security", + "name": "VBS" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-17T21:49:31.431Z", + "id": "tychon-f26ce820-3d47-11ee-9610-15dee918f31a", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag", + "updated_at": "2023-08-17T21:49:31.431Z", + "version": "WzY2MjY4NywxNl0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/visualization/tychon-837878a0-c3cb-11eb-8956-0b1a70e695fd.json b/packages/tychon/kibana/visualization/tychon-837878a0-c3cb-11eb-8956-0b1a70e695fd.json new file mode 100644 index 00000000000..7fc49e47d01 --- /dev/null +++ b/packages/tychon/kibana/visualization/tychon-837878a0-c3cb-11eb-8956-0b1a70e695fd.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "description": "", + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9": { + "columnOrder": [ + "ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2", + "31cd5bd5-bf05-4039-a241-c75a16ad9165", + "87f792ec-41cb-4052-ae3c-8e39032305c0" + ], + "columns": { + "31cd5bd5-bf05-4039-a241-c75a16ad9165": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "rule.result : \"fail\" " + }, + "isBucketed": false, + "label": "Total Fails", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "87f792ec-41cb-4052-ae3c-8e39032305c0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "rule.result : \"pass\" " + }, + "isBucketed": false, + "label": "Total Pass", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "rule.severity :\"high\" " + }, + "label": "CAT I" + }, + { + "input": { + "language": "kuery", + "query": "rule.severity : \"medium\" " + }, + "label": "CAT II" + }, + { + "input": { + "language": "kuery", + "query": "rule.severity : \"low\" " + }, + "label": "CAT III" + } + ] + }, + "scale": "ordinal" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ecc959a5-6cb4-43ed-bd8e-c8a11c51d3d2", + "isTransposed": false + }, + { + "columnId": "31cd5bd5-bf05-4039-a241-c75a16ad9165", + "isTransposed": false, + "summaryLabel": "Total", + "summaryRow": "sum" + }, + { + "columnId": "87f792ec-41cb-4052-ae3c-8e39032305c0", + "isTransposed": false, + "summaryLabel": "Total", + "summaryRow": "sum" + } + ], + "layerId": "93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9", + "layerType": "data" + } + }, + "title": "CCRI Category Table", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-31T21:39:00.136Z", + "id": "tychon-837878a0-c3cb-11eb-8956-0b1a70e695fd", + "managed": false, + "references": [ + { + "id": "ed7c1bb4-5aac-45d4-9aff-06f4d4ad4a9a", + "name": "indexpattern-datasource-layer-93bb9ce5-6dc1-41ec-bff3-f8c606cab5c9", + "type": "index-pattern" + } + ], + "type": "lens", + "typeMigrationVersion": "8.6.0", + "updated_at": "2023-08-31T21:39:00.136Z", + "version": "WzYyODksNV0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/visualization/tychon-d954bdb0-3298-11ec-b058-cf4fefc29658.json b/packages/tychon/kibana/visualization/tychon-d954bdb0-3298-11ec-b058-cf4fefc29658.json new file mode 100644 index 00000000000..4477bc53e36 --- /dev/null +++ b/packages/tychon/kibana/visualization/tychon-d954bdb0-3298-11ec-b058-cf4fefc29658.json @@ -0,0 +1,20 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "title": "CCRI: Benchmark Scores CCRI Weighted - Markdown", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"CCRI: Benchmark Scores CCRI Weighted - Markdown\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":10,\"openLinksInNewTab\":false,\"markdown\":\"| CCRI Score | Description |\\n| :------------ | :------------ |\\n| 20-100% | Critical Concern |\\n| 10-20% | Moderate Concern |\\n| 0-10% | Minor Concern |\\n| 0% | No Concern |\\n\"}}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T22:09:42.471Z", + "id": "tychon-d954bdb0-3298-11ec-b058-cf4fefc29658", + "managed": true, + "type": "visualization", + "typeMigrationVersion": "8.5.0", + "updated_at": "2023-08-30T22:09:42.540Z", + "version": "WzIyMDksNF0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/visualization/tychon-e6c0e460-c3da-11eb-8956-0b1a70e695fd.json b/packages/tychon/kibana/visualization/tychon-e6c0e460-c3da-11eb-8956-0b1a70e695fd.json new file mode 100644 index 00000000000..0301700c4a8 --- /dev/null +++ b/packages/tychon/kibana/visualization/tychon-e6c0e460-c3da-11eb-8956-0b1a70e695fd.json @@ -0,0 +1,20 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "CCRI: Total Systems - Metric", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"CCRI: Total Systems - Metric\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"params\":{\"field\":\"host.id\",\"customLabel\":\"Systems\",\"emptyAsNull\":false},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}}}}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-08-30T22:09:42.471Z", + "id": "tychon-e6c0e460-c3da-11eb-8956-0b1a70e695fd", + "managed": true, + "type": "visualization", + "typeMigrationVersion": "8.5.0", + "updated_at": "2023-08-30T22:09:42.540Z", + "version": "WzIyMTAsNF0=" +} \ No newline at end of file diff --git a/packages/tychon/kibana/visualization/tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json b/packages/tychon/kibana/visualization/tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json new file mode 100644 index 00000000000..14ada053e07 --- /dev/null +++ b/packages/tychon/kibana/visualization/tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc.json @@ -0,0 +1,33 @@ +{ + "attributes": { + "description": "TYCHON Browser is a series of dashbaords dirlling into indvidual datasets for a single computer.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "title": "[TYCHON] Endpoint Browser -Main Navigation", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"[TYCHON] Endpoint Browser -Main Navigation\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Host Info](/app/dashboards#/view/tychon-6165bf50-3dbf-11ee-9610-15dee918f31a-host) | [Network Cards](/app/dashboards#/view/tychon-1af57010-41b6-11ee-83e4-c92ed141b9e5-networkadapter) | [Drives and Disks](/app/dashboards#/view/tychon-380b6c10-3dbd-11ee-9610-15dee918f31a-harddrive) | [Apps and Software](/app/dashboards#/view/tychon-2bd4ca50-3dfd-11ee-9610-15dee918f31a-softwareinventory) | [Hardware](/app/dashboards#/view/tychon-993e07a0-3e02-11ee-9610-15dee918f31a-hardware) | [Vulnerabilities](/app/dashboards#/view/tychon-2de7a3c0-3e08-11ee-9610-15dee918f31a-cve) | [Benchmark Results](/app/dashboards#/view/tychon-e1c9c490-41a5-11ee-83e4-c92ed141b9e5-stig) | [Services and Ports](/app/dashboards#/view/tychon-0c036be0-3de5-11ee-9610-15dee918f31a-exposedservice) | [Protections](/app/dashboards#/view/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp)\"}}" + }, + "coreMigrationVersion": "8.6.2", + "created_at": "2023-08-23T21:04:08.909Z", + "id": "tychon-ee4b44b0-40e6-11ee-8111-21f5f34f6dfc", + "migrationVersion": { + "visualization": "8.5.0" + }, + "references": [ + { + "id": "10af3800-10f3-11ee-af86-538da1394f27", + "name": "tag-ref-10af3800-10f3-11ee-af86-538da1394f27", + "type": "tag" + }, + { + "id": "e18d6100-3c85-11ee-9610-15dee918f31a", + "name": "tag-ref-e18d6100-3c85-11ee-9610-15dee918f31a", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2023-08-23T21:04:08.909Z", + "version": "WzgyMjAyOSwyMl0=" +} \ No newline at end of file diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml new file mode 100644 index 00000000000..91fb3edc174 --- /dev/null +++ b/packages/tychon/manifest.yml @@ -0,0 +1,43 @@ +format_version: 2.0.0 +name: tychon +release: beta +title: "TYCHON Agentless" +version: 0.0.58 +source: + license: "Elastic-2.0" +description: TYCHON Agentless delivers STIG, CVE/IAVA, and Endpoint Protection status without adding new server infrastructure or services to your endpoints. TYCHON datasets fully comply with vulnerability and STIG reporting standards and integrate into Comply-to-Connect for instant zero trust value. +type: integration +categories: + - config_management + - vulnerability_management +conditions: + kibana.version: "^8.8.0" + elastic.subscription: "basic" +screenshots: + - src: /img/TychonScreenshot.png + title: Tychon Vulnerabilities + size: 600x600 + type: image/png + - src: /img/TYCHONScreenShot_1.png + title: Tychon Host Information + size: 600x600 + type: image/png + - src: /img/TYCHONScreenShot_2.png + title: Endpoint Protection + size: 600x600 + type: image/png +icons: + - src: /img/TychonLogo.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: tychon + title: Tychon + description: Tychon + inputs: + - type: logfile + title: Tychon + description: Tychon +owner: + github: elastic/integrations